Cyber Resilience

CVE-2026-2724

High

Published: 10 March 2026

Published
10 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0015 35.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2724 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-2724 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Unlimited Elements for Elementor plugin for WordPress in all versions up to and including 2.0.5. The flaw arises from insufficient input sanitization and output escaping of form submission data when displayed in the admin Form Entries Trash view, allowing injected scripts to persist in trashed entries.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). By submitting forms with arbitrary web scripts in entry fields, attackers can store malicious payloads that execute in the administrator's browser context whenever an admin views the trashed form entries, potentially leading to account compromise or further site actions under elevated privileges.

References include code locations in the plugin's 2.0.5 tag and trunk, such as unitecreator_form.class.php at line 1151 and form_entries_view.class.php at line 336, highlighting the unsanitized output paths. A changeset (3470240) documents changes to unitecreator_form.class.php from revision 3403331, indicating a fix applied in subsequent versions. Mitigation involves updating the plugin beyond 2.0.5.

EU & UK References

Vulnerability details

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form entry fields in all versions up to, and including, 2.0.5. This is due to insufficient input sanitization and output escaping on form submission…

more

data displayed in the admin Form Entries Trash view. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the trashed form entries.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Stored XSS in public-facing WordPress plugin directly enables exploitation of the web app (T1190) via unsanitized form input; payload execution occurs through attacker-supplied JavaScript (T1059.007) in admin browser context, facilitating session hijack or account compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted form input to block the arbitrary script payloads that are stored and later executed.

prevent

Mandates output filtering/escaping of stored form-entry data before it is rendered in the admin trash view, eliminating the XSS execution path.

preventdetect

Provides mechanisms to detect and block malicious code (scripts) submitted via the unauthenticated form-entry channel before storage or execution.

References