CVE-2025-1663 in Unlimited Elements for Elementor Plugin
Summary
by MITRE • 04/03/2025
The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5.142 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/19/2026
The Unlimited Elements For Elementor plugin presents a critical stored cross-site scripting vulnerability that affects all versions up to and including 15142. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's widget implementation. The flaw specifically targets authenticated attackers who possess contributor-level access or higher privileges within the WordPress environment, making it particularly concerning as it leverages legitimate user permissions to execute malicious code. The vulnerability operates through multiple widgets within the plugin's framework, creating numerous attack vectors that can be exploited by threat actors with minimal elevation requirements.
The technical nature of this vulnerability places it firmly within the CWE-79 category, which defines cross-site scripting flaws as weaknesses that allow attackers to inject malicious scripts into web applications. In this case, the stored nature of the vulnerability means that malicious scripts are persisted within the application's database rather than being executed through a single request. When authenticated users access pages containing the injected scripts, the malicious code executes in their browsers, potentially leading to session hijacking, credential theft, or further compromise of the affected WordPress installation. The vulnerability affects the plugin's ability to properly sanitize user inputs before storing them, and subsequently fails to adequately escape output when rendering content to end users.
The operational impact of this vulnerability extends beyond simple script execution as it creates a persistent backdoor within the WordPress environment. Attackers with contributor privileges can inject scripts that modify page content, redirect users to malicious sites, or harvest sensitive information from authenticated sessions. The implications are particularly severe because contributors typically have the ability to create and edit posts, which means they can inject malicious scripts into content that will execute whenever any user views those pages. This makes the vulnerability particularly dangerous in multi-user environments where multiple contributors have access to the system, as it can be exploited to compromise the entire user base through a single successful attack vector.
Mitigation strategies for this vulnerability should focus on immediate plugin updates to versions that address the sanitization and escaping issues. Organizations should also implement additional security measures including role-based access controls that limit contributor privileges to only essential functions, regular security audits of plugin installations, and monitoring for unauthorized script injections. Network-based intrusion detection systems should be configured to monitor for suspicious script content in web traffic, while application firewalls can help filter malicious payloads before they reach the WordPress application. The ATT&CK framework categorizes this type of vulnerability under T1546.001 for Windows Remote Management and related techniques that involve persistence through legitimate user privileges. Regular security assessments should include vulnerability scanning of WordPress plugins to identify similar issues, and organizations should maintain updated security baselines that enforce proper input validation and output escaping across all web applications.