CVE-2026-4659

Name of the Vulnerable Software and Affected Versions Unlimited Elements for Elementor versions prior to 2.0.7

Description An arbitrary file read issue exists due to insufficient path traversal sanitization in the URLtoRelative() and urlToPath() functions, combined with the ability to enable debug output in widget settings. The URLtoRelative() function removes the site base URL but fails to sanitize path traversal sequences (../), while the cleanPath() function normalizes directory separators without removing traversal components. This allows authenticated attackers with Author-level access and above to read arbitrary local files from the WordPress host, such as wp-config, by providing a crafted URL in the 'Repeater JSON/CSV URL' parameter.

Recommendations Update the plugin to a version later than 2.0.6.