CVE-2025-14274
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious scripts into web pages via the Border Hero widget's Button Link field. The stored XSS payload executes whenever users visit compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using Unlimited Elements for Elementor plugin versions up to 2.0.1 are affected.
💻 Affected Systems
- Unlimited Elements for Elementor WordPress plugin
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or perform actions as authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies or credentials, potentially escalating privileges or compromising user accounts.
If Mitigated
With proper user role management and input validation, impact is limited to low-privilege user data exposure on affected pages only.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once attacker has contributor privileges. No public exploit code available yet.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.2
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Unlimited Elements for Elementor'
4. Click 'Update Now' if update available
5. Alternatively, download version 2.0.2+ from WordPress repository
6. Deactivate old version and upload new version
7. Activate updated plugin
🔧 Temporary Workarounds
Disable Border Hero Widget
allTemporarily disable the vulnerable Border Hero widget to prevent exploitation
Navigate to Elementor → Settings → Advanced → Disable 'Border Hero' widget
Restrict User Roles
allTemporarily restrict contributor-level access or review user permissions
Navigate to Users → All Users → Edit user roles to remove contributor access from untrusted users
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Add WAF rules to block XSS payloads in URL parameters and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Unlimited Elements for Elementor → Version. If version is 2.0.1 or lower, you are vulnerable.Check Version:
wp plugin list --name='unlimited-elements-for-elementor' --field=versionVerify Fix Applied:
After updating, verify plugin version shows 2.0.2 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php with URL parameters containing script tags
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- HTTP requests containing malicious script payloads in URL parameters
- Unexpected outbound connections from WordPress site to external domains
SIEM Query:
source="wordpress.log" AND ("Border Hero" OR "unlimited-elements" OR "admin-ajax.php") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")🔗 References
- https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/framework/functions.class.php#L2859
- https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_params_processor.class.php#L1518
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3429507%40unlimited-elements-for-elementor%2Ftrunk&old=3403331%40unlimited-elements-for-elementor%2Ftrunk&sfp_email=&sfph_mail=#file15
- https://www.wordfence.com/threat-intel/vulnerabilities/id/482c4986-3677-4754-992b-ea9be7573d2e?source=cve