Unrestricted Upload of File with Dangerous Type vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) allows Upload a Web Shell to a Web Server.This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): from n/a through 1.5.60.
The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and results from insufficient validation of file types uploaded through the plugin's functionality. An attacker with basic user privileges (PR:L) can upload a malicious file β such as a web shell β directly to the web server. Once the file is placed on the server, it can be executed remotely by directly referencing the uploaded resource.
An attacker can gain full control over the web server through arbitrary code execution (RCE) via an uploaded web shell, resulting in violation of system confidentiality, integrity, and availability, as well as potentially the entire infrastructure (scope S:C).
The Unlimited Elements For Elementor plugin should be updated immediately to a version higher than 1.5.60. Details regarding the version containing the patch are available in the vendor references and in the Patchstack database.
WordPress plugin Unlimited Elements For Elementor (Free Widgets, Addons, Templates) in versions from the beginning through 1.5.60 inclusive.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HUnlimited Elements For Elementor
APPUnlimited-Elements< 1.5.61
Related vulnerabilities
RCE przez Deserialization w pluginie Unlimited Elements For Elementor
Nieograniczony upload plikΓ³w w wtyczce Unlimited Elements For Elementor
Unrestricted File Upload w wtyczce Unlimited Elements For Elementor
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Unlimite...
Missing Authorization vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addo...