[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f49i8ChPYU-cSFuBnac-SJ7Eb7VjGd4a3Qyhzyp8rduA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-2724","unlimited-elements-for-elementor-unauthenticated-stored-cross-site-scripting-via-form-entry-fields","Unlimited Elements For Elementor \u003C= 2.0.5 - Unauthenticated Stored Cross-Site Scripting via Form Entry Fields","The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form entry fields in all versions up to, and including, 2.0.5. This is due to insufficient input sanitization and output escaping on form submission data displayed in the admin Form Entries Trash view. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the trashed form entries.","unlimited-elements-for-elementor",null,"\u003C=2.0.5","2.0.6","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-09 21:26:51","2026-03-10 09:59:00",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F68d4aa8c-70f9-46ba-92ce-fbb427954e86?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-2724\n\n## 1. Vulnerability Summary\nThe **Unlimited Elements For Elementor** plugin (\u003C= 2.0.5) contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw exists because the plugin fails to sanitize and escape user-submitted form data when displaying it in the **Form Entries Trash** view within the WordPress admin dashboard. An unauthenticated attacker can submit a form containing a malicious script, which will then execute in the context of an administrator's browser when they view the trashed entries.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (Inferred for form submission).\n*   **Action:** Likely `unlimited_elements_submit_form` or `ue_form_submit` (Inferred based on plugin naming conventions).\n*   **Vulnerable Parameter:** Individual form field values (e.g., `field_1`, `name`, `email`).\n*   **Authentication:** None required for the submission.\n*   **Preconditions:** \n    1.  The plugin must have at least one form widget active on a public page.\n    2.  An administrator must move the malicious submission to the \"Trash\" and then navigate to the Trash view.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with an action related to form submission.\n2.  **Processing:** The plugin receives the POST data. It likely saves this data into a custom database table (e.g., `wp_unlimited_elements_form_entries`) or a custom post type.\n3.  **Lack of Sanitization:** During the saving process, the input is not passed through `sanitize_text_field()` or `wp_kses()`.\n4.  **Admin Interaction:** An administrator views the \"Form Entries\" page in the plugin settings, identifies the malicious entry, and clicks \"Trash\".\n5.  **Sink:** The administrator navigates to the \"Trash\" tab. The plugin retrieves the trashed entries from the database and echoes the field values directly into the HTML table without using `esc_html()` or `esc_attr()`.\n\n## 4. Nonce Acquisition Strategy\nUnlimited Elements typically enqueues a JavaScript configuration object to handle AJAX form submissions.\n\n1.  **Identify Shortcode:** The plugin uses various widgets. To ensure the scripts are loaded, create a page with a form widget. \n    *   *Action:* `wp post create --post_type=page --post_status=publish --post_title=\"Contact\" --post_content='[unlimited_elements_form]'` (Exact shortcode name needs verification via `grep -r \"add_shortcode\" .`).\n2.  **Locate Nonce:** The nonce is likely stored in a localized script variable.\n    *   *Common Variable:* `unlimited_elements_ajax_object` or `ue_ajax_obj`.\n    *   *Command:* Use `browser_navigate` to the created page.\n    *   *Command:* `browser_eval(\"window.unlimited_elements_ajax_object?.nonce\")` or `browser_eval(\"window.ue_ajax_obj?.nonce\")`.\n3.  **Bypass Check:** If the `wp_ajax_nopriv_` handler does not call `check_ajax_referer` or `wp_verify_nonce`, the nonce acquisition step can be skipped.\n\n## 5. Exploitation Strategy\n### Step 1: Discover the Form Action\nSearch the plugin files to find the AJAX handler for form submissions.\n```bash\ngrep -rn \"wp_ajax_nopriv_\" . | grep \"form\"\n```\n\n### Step 2: Submit Malicious Entry\nSend a POST request to the identified AJAX action.\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Parameters:**\n    *   `action`: (Identified in Step 1, e.g., `ue_submit_form`)\n    *   `nonce`: (Acquired in Section 4)\n    *   `form_id`: (Likely required, can be found in the page source where the widget is placed)\n    *   `field_name`: `\u003Cscript>alert('XSS_SUCCESS_CVE_2026_2724')\u003C\u002Fscript>`\n\n### Step 3: Trigger the Sink (Simulate Admin)\nSince this is a **Stored XSS in the Trash view**, the payload won't fire on the main entries page.\n1.  Log in as Admin.\n2.  Navigate to the Form Entries page.\n3.  Trash the malicious entry.\n4.  Navigate to the Trash view (e.g., `wp-admin\u002Fadmin.php?page=unlimited_elements_form_entries&status=trash`).\n\n## 6. Test Data Setup\n1.  **Activate Plugin:** Ensure \"Unlimited Elements For Elementor\" version 2.0.5 is active.\n2.  **Create Form:** Create a simple form using the plugin's widget on a new WordPress page.\n3.  **Identify Table:** Check the database to see where entries are stored:\n    ```bash\n    wp db query \"SHOW TABLES LIKE '%unlimited_elements%';\"\n    ```\n\n## 7. Expected Results\n*   The form submission returns a success JSON response: `{\"success\":true, ...}`.\n*   When the admin navigates to the Trash view, the browser executes the payload, appearing as an alert box or a log in the console.\n\n## 8. Verification Steps\n1.  **Database Check:** Verify the payload is stored raw in the database.\n    ```bash\n    wp db query \"SELECT * FROM wp_ue_form_entries WHERE entry_data LIKE '%\u003Cscript>%';\"\n    ```\n2.  **HTML Response Check:** Use the `http_request` tool (as admin) to fetch the trash view and grep for the raw script tag.\n    ```bash\n    # Note: Use the admin cookie in this request\n    # GET \u002Fwp-admin\u002Fadmin.php?page=unlimited_elements_form_entries&status=trash\n    ```\n\n## 9. Alternative Approaches\n*   **Field Injection:** If the primary name\u002Femail fields are sanitized, try injecting into hidden fields or metadata fields often sent by Elementor widgets (e.g., `page_url`, `user_agent`).\n*   **Shortcode Injection:** If unauthenticated form submission is disabled, check if a Contributor-level user can inject the payload via shortcode attributes if they are displayed in the same admin view.\n*   **Direct DB Insertion:** If the AJAX endpoint is difficult to hit, use `wp db query` to manually insert the payload into the entries table to verify if the *output* escaping is truly missing in the Trash view.","The Unlimited Elements For Elementor plugin for WordPress is vulnerable to unauthenticated Stored Cross-Site Scripting via form entry fields in versions up to 2.0.5. This occurs because the plugin does not adequately sanitize user-submitted form data or escape it when displaying entries in the admin 'Form Entries Trash' view, allowing scripts to execute in an administrator's browser context.","1. Identify a public page on the target site containing a form generated by the Unlimited Elements plugin.\n2. Submit a malicious payload (e.g., \u003Cscript>alert('XSS')\u003C\u002Fscript>) via an unauthenticated POST request to the WordPress AJAX endpoint (wp-admin\u002Fadmin-ajax.php) using the relevant form submission action.\n3. The payload is stored in the plugin's form entries database table without sanitization.\n4. An administrator must kemudian log in and navigate to the plugin's 'Form Entries' section.\n5. The administrator must 'Trash' the malicious entry and then navigate specifically to the 'Trash' tab\u002Fview.\n6. The payload executes when the trashed entries are rendered in the administrator's browser.","gemini-3-flash-preview","2026-04-18 05:11:21","2026-04-18 05:11:41",{"type":32,"vulnerable_version":33,"fixed_version":9,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":9,"fixed_zip":9,"all_tags":36},"plugin","1.5.132","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Funlimited-elements-for-elementor\u002Ftags\u002F1.5.132","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Funlimited-elements-for-elementor.1.5.132.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Funlimited-elements-for-elementor\u002Ftags"]