CVE-2024-2662 Information
May 15, 2024
cve
Description
The Unlimited Elements For Elementor (Free Widgets Addons Templates) plugin for WordPress is vulnerable to command injection in all versions up to and including 1.5.102. This is due to insufficient filtering of template attributes during the creation of HTML for custom widgets This makes it possible for authenticated attackers with administrator-level access and above to execute arbitrary commands on the server.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Reference
https://plugins.trac.wordpress.org/changeset/3071404/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_template_engine.class.php https://www.wordfence.com/threat-intel/vulnerabilities/id/58492dbb-b9e0-4477-b85d-ace06dba954c?source=cve
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction Required
HIGH
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
7.2
Share on: