CVE-2026-4659
Published: 17 April 2026
Summary
CVE-2026-4659 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and sanitization of the Repeater JSON/CSV URL parameter to block path traversal sequences like ../ in URLtoRelative() and urlToPath() functions.
Mandates timely remediation of the path traversal flaw in the Unlimited Elements for Elementor plugin up to version 2.0.6.
Enforces access controls on local files to limit disclosure even if path traversal resolves to sensitive paths like wp-config.php or /etc/passwd.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The arbitrary file read vulnerability directly enables collection of data from local system files (T1005) and access to unsecured credentials stored in files such as wp-config.php (T1552.001).
NVD Description
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and including, 2.0.6. This is due to insufficient path traversal sanitization in the URLtoRelative() and urlToPath()…
more
functions, combined with the ability to enable debug output in widget settings. The URLtoRelative() function only performs a simple string replacement to remove the site's base URL without sanitizing path traversal sequences (../), and the cleanPath() function only normalizes directory separators without removing traversal components. This allows an attacker to provide a URL like http://site.com/../../../../etc/passwd which, after URLtoRelative() strips the domain, results in /../../../../etc/passwd being concatenated with the base path and ultimately resolved to /etc/passwd. This makes it possible for authenticated attackers with Author-level access and above to read arbitrary local files from the WordPress host, including sensitive files such as wp-config.
Deeper analysisAI
CVE-2026-4659 is an arbitrary file read vulnerability in the Unlimited Elements for Elementor plugin for WordPress, affecting versions up to and including 2.0.6. The flaw arises from insufficient path traversal sanitization in the URLtoRelative() and urlToPath() functions when processing the Repeater JSON/CSV URL parameter, combined with the ability to enable debug output in widget settings. The URLtoRelative() function performs only a simple string replacement to strip the site's base URL without handling ../ sequences, while the cleanPath() function normalizes directory separators but fails to remove traversal components. Published on 2026-04-17, it is associated with CWE-22 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Authenticated attackers with Author-level access and above can exploit this vulnerability over the network with low complexity. By supplying a crafted URL such as http://site.com/../../../../etc/passwd, the plugin strips the domain to yield /../../../../etc/passwd, which is then concatenated with the base path and resolved to sensitive files like /etc/passwd or wp-config.php on the WordPress host. This enables unauthorized disclosure of arbitrary local files.
The provided references point to specific locations in the plugin's source code for version 2.0.6 on the WordPress plugin trac repository, including unitecreator_helper.class.php at lines 643 and 667, unitecreator_operations.class.php at line 710, and provider_helper.class.php at lines 597 and 607, highlighting the vulnerable functions. No advisories or patches are detailed in the available information.
Details
- CWE(s)