Overview
A critical security vulnerability, identified as CVE-2025-13692, has been discovered in the Unlimited Elements For Elementor plugin for WordPress. This vulnerability is a Stored Cross-Site Scripting (XSS) flaw affecting all versions up to and including 2.0. It allows unauthenticated attackers to inject malicious JavaScript code into WordPress pages, potentially compromising user accounts and website integrity. This is achieved through the upload of specially crafted SVG files.
Technical Details
The vulnerability stems from insufficient input sanitization and output escaping within the plugin’s SVG file upload functionality. Specifically, the plugin fails to properly sanitize user-supplied data during the upload and storage of SVG files. This means that malicious JavaScript code embedded within an SVG file can be stored on the server. When a user accesses the uploaded SVG file (e.g., by viewing a page where the SVG is displayed), the stored JavaScript code executes within the user’s browser. While the exploitation requires a form with a file upload field created using the premium version of the plugin, the vulnerability remains exploitable even after the premium version is deactivated or uninstalled.
The relevant code sections contributing to the vulnerability are located in the following files (as referenced in the WordPress Trac):
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13692 is 7.2, indicating a HIGH severity vulnerability. This score reflects the potential impact and exploitability of the flaw. The high score is attributed to the fact that an unauthenticated attacker can inject malicious code that will execute in the context of other users’ browsers.
Possible Impact
Successful exploitation of this XSS vulnerability can have severe consequences, including:
- Account Compromise: Attackers can steal user session cookies, allowing them to impersonate legitimate users and gain unauthorized access to their accounts.
- Website Defacement: Attackers can modify website content, redirect users to malicious websites, or inject unwanted advertisements.
- Malware Distribution: Attackers can inject malicious code that downloads and executes malware on users’ computers.
- Data Theft: Sensitive data, such as personal information or financial details, could be stolen.
Mitigation and Patch Steps
The recommended mitigation is to update the Unlimited Elements for Elementor plugin to the latest version. The vulnerability has been addressed in subsequent versions. You can update the plugin directly from your WordPress dashboard.
If you are unable to update immediately: While not a complete solution, consider temporarily disabling the “Unlimited Elements For Elementor” plugin until you can update it. You might also investigate if your security plugin (e.g. Wordfence) provides virtual patching or firewall rules to mitigate this specific vulnerability, but always prioritize a proper update.
According to the Unlimited Elements changelog, the issue has been resolved. You should upgrade to the latest version as soon as possible.
