CVE-2024-13155

moderate-risk

Published 2025-02-20

The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Transparent Split Hero widget in all versions up to, and including, 1.5.140 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: Since the widget code isn't part of the code base, to apply the patch, the affected widget: Transparent Split Hero must be deleted and reinstalled manually.

Do I need to act?

0.13% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Unlimited Elements For Elementor

Affected Vendors

Unlimited-Elements

References (3)

Product https://unlimited-elements.com/change-log/

Product https://wordpress.org/plugins/unlimited-elements-for-elementor/#developers

Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/63ba4880-9fbb-42e3-a8d...

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal