Unrestricted Upload of File with Dangerous Type vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates).This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): from n/a through 1.5.65.
The vulnerability classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) involves the lack of proper validation of the file extension or type being uploaded. An authenticated user (even with low privileges) can upload an executable file, such as a PHP script, through the vulnerable upload mechanism of the plugin. Once such a file is placed on the server, an attacker can invoke it through a browser and execute arbitrary code in the context of the web server. The CVSS vector indicates a change in scope (Scope Changed), which means the impact may extend beyond the WordPress application itself.
An attacker can gain full control over the server through remote code execution (RCE), and can also compromise the confidentiality, integrity, and availability of data and the entire hosting environment.
The Unlimited Elements For Elementor plugin should be immediately updated to a version higher than 1.5.65. Details regarding the patched version are available in the manufacturer's references and in the Patchstack database.
The Unlimited Elements For Elementor plugin (Free Widgets, Addons, Templates) in versions from the beginning up to and including 1.5.65, installed on the WordPress platform.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HUnlimited Elements For Elementor
APPUnlimited-Elements< 1.5.66
Related vulnerabilities
RCE przez Deserialization w pluginie Unlimited Elements For Elementor
Nieograniczony upload plików w wtyczce Unlimited Elements For Elementor
Unrestricted File Upload umożliwiający Web Shell w pluginie Unlimited Elements For Elementor
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Unlimite...
Missing Authorization vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addo...