Skip to main content

WordPress CVE-2026-4659

| EUVD-2026-23380 HIGH
Path Traversal (CWE-22)
2026-04-17 Wordfence
Path Traversal WordPress Elementor
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 17, 2026 - 07:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 07:22 vuln.today
cvss_changed
Analysis Generated
Apr 17, 2026 - 07:13 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 07:00 euvd
EUVD-2026-23380
Analysis Generated
Apr 17, 2026 - 07:00 vuln.today
CVE Published
Apr 17, 2026 - 06:44 nvd
HIGH 7.5

DescriptionCVE.org

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and including, 2.0.6. This is due to insufficient path traversal sanitization in the URLtoRelative() and urlToPath() functions, combined with the ability to enable debug output in widget settings. The URLtoRelative() function only performs a simple string replacement to remove the site's base URL without sanitizing path traversal sequences (../), and the cleanPath() function only normalizes directory separators without removing traversal components. This allows an attacker to provide a URL like http://site.com/../../../../etc/passwd which, after URLtoRelative() strips the domain, results in /../../../../etc/passwd being concatenated with the base path and ultimately resolved to /etc/passwd. This makes it possible for authenticated attackers with Author-level access and above to read arbitrary local files from the WordPress host, including sensitive files such as wp-config.

AnalysisAI

Path traversal in Unlimited Elements for Elementor (WordPress plugin ≤2.0.6) enables authenticated attackers with Author-level privileges to read arbitrary files from the web server via crafted URLs in the Repeater JSON/CSV URL parameter. The vulnerability chains multiple sanitization failures in URLtoRelative(), urlToPath(), and cleanPath() functions, allowing traversal sequences like ../../../../etc/passwd to bypass domain-stripping logic and access sensitive files including wp-config.php. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate with Author credentials
Delivery
Access Elementor editor
Exploit
Enable debug mode in Repeater widget
Install
Inject traversal URL (http://site.com/../../../../wp-config.php)
C2
URLtoRelative() strips domain
Execute
Path traversal resolves to /wp-config.php
Impact
Debug output displays file contents
Step 8
Exfiltrate credentials and secrets
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires authenticated access with Author-level privileges or higher on the WordPress installation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is elevated but requires authentication and specific plugin configuration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with Author-level WordPress credentials logs into the admin dashboard and navigates to a page using the Unlimited Elements Repeater widget. They edit the widget settings to enable debug output, then modify the JSON/CSV URL parameter to http://victimsite.com/../../../../wp-config.php. …
Remediation Update Unlimited Elements for Elementor to version 2.0.7 or later, as changeset 3504458 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3504458%40unlimited-elements-for-elementor&new=3504458%40unlimited-elements-for-elementor) indicates a patch addressing path traversal issues in the affected functions. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WordPress instances using Unlimited Elements for Elementor and document current installed version. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8157 HIGH POC
8.8 Jun 22

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u
CVE-2026-8089 HIGH POC
7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH POC
7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-4259 HIGH POC
7.1 Jun 22

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp
CVE-2026-6858 HIGH POC
7.1 Jun 22

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthen

Share

CVE-2026-4659 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy