CVE-2026-4659

| EUVD-2026-23380 HIGH
2026-04-17 Wordfence
Path Traversal WordPress
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Updated
Apr 17, 2026 - 07:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 07:22 vuln.today
cvss_changed
Analysis Generated
Apr 17, 2026 - 07:13 vuln.today

DescriptionNVD

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and including, 2.0.6. This is due to insufficient path traversal sanitization in the URLtoRelative() and urlToPath() functions, combined with the ability to enable debug output in widget settings. The URLtoRelative() function only performs a simple string replacement to remove the site's base URL without sanitizing path traversal sequences (../), and the cleanPath() function only normalizes directory separators without removing traversal components. This allows an attacker to provide a URL like http://site.com/../../../../etc/passwd which, after URLtoRelative() strips the domain, results in /../../../../etc/passwd being concatenated with the base path and ultimately resolved to /etc/passwd. This makes it possible for authenticated attackers with Author-level access and above to read arbitrary local files from the WordPress host, including sensitive files such as wp-config.

AnalysisAI

Path traversal in Unlimited Elements for Elementor (WordPress plugin ≤2.0.6) enables authenticated attackers with Author-level privileges to read arbitrary files from the web server via crafted URLs in the Repeater JSON/CSV URL parameter. The vulnerability chains multiple sanitization failures in URLtoRelative(), urlToPath(), and cleanPath() functions, allowing traversal sequences like ../../../../etc/passwd to bypass domain-stripping logic and access sensitive files including wp-config.php. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all WordPress instances using Unlimited Elements for Elementor and document current installed version. Within 7 days: Restrict Author-level user capabilities in WordPress admin settings and review user roles to minimize exposure; consider disabling the Repeater JSON/CSV URL parameter feature if functionality permits. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-4659 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy