CVE-2026-2724
Published: 10 March 2026
Summary
CVE-2026-2724 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-2724 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Unlimited Elements for Elementor plugin for WordPress in all versions up to and including 2.0.5. The flaw arises from insufficient input sanitization and output escaping of form submission data when displayed in the admin Form Entries Trash view, allowing injected scripts to persist in trashed entries.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). By submitting forms with arbitrary web scripts in entry fields, attackers can store malicious payloads that execute in the administrator's browser context whenever an admin views the trashed form entries, potentially leading to account compromise or further site actions under elevated privileges.
References include code locations in the plugin's 2.0.5 tag and trunk, such as unitecreator_form.class.php at line 1151 and form_entries_view.class.php at line 336, highlighting the unsanitized output paths. A changeset (3470240) documents changes to unitecreator_form.class.php from revision 3403331, indicating a fix applied in subsequent versions. Mitigation involves updating the plugin beyond 2.0.5.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10482
Vulnerability details
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form entry fields in all versions up to, and including, 2.0.5. This is due to insufficient input sanitization and output escaping on form submission…
more
data displayed in the admin Form Entries Trash view. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the trashed form entries.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables exploitation of the web app (T1190) via unsanitized form input; payload execution occurs through attacker-supplied JavaScript (T1059.007) in admin browser context, facilitating session hijack or account compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted form input to block the arbitrary script payloads that are stored and later executed.
Mandates output filtering/escaping of stored form-entry data before it is rendered in the admin trash view, eliminating the XSS execution path.
Provides mechanisms to detect and block malicious code (scripts) submitted via the unauthenticated form-entry channel before storage or execution.