CVE-2026-4659 affects Unlimited Elements for Elementor and it is an authenticated Local File Inclusion vulnerability that allows an Author level user to read arbitrary local files from the WordPress host. The bug is especially practical because it uses a normal looking Elementor widget feature. A repeater can load JSON or CSV data from a URL, which is a common pattern for dynamic widgets. The vulnerability appears when the plugin treats certain URLs as local filesystem paths and then reads them. When debug output is enabled, the plugin returns the raw file content in the response, which turns a file read primitive into direct exfiltration through the page preview. With an install base around 300k plus and common editorial setups where Authors can edit pages, this is a realistic path from a low privilege content role to server level secret disclosure.
| CVE | CVE-2026-4659 |
| Plugin Version | Unlimited Elements For Elementor <= 2.0.6 |
| All Time | 14 537 518 |
| Active installations | 300 000+ |
| Publicly Published | April 16, 2026 |
| Last Updated | April 16, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4659 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/unlimited-elements-for-elementor/unlimited-elements-for-elementor-206-authenticated-contributor-arbitrary-file-read-via-path-traversal-in-repeater-jsoncsv-url-with-path-traversal https://t.me/cleantalk_researches/402 |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| March 13, 2026 | Plugin testing and vulnerability detection in the Unlimited Elements for Elementor have been completed |
| March 13, 2026 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| April 16, 2026 | Registered CVE-2026-4659 |
Discovery of the Vulnerability
The root cause is a flawed URL to path conversion pipeline inside the repeater import logic. When a widget uses a Special Attribute of type Repeater and the user selects JSON or CSV loading from a URL, the value flows into a helper like getUrlContents. If the supplied URL matches the same site domain, the plugin treats it as a local reference and converts it using functions like URLtoRelative and urlToPath. The critical mistake is that traversal segments like ../ survive the conversion and are not normalized away with realpath based base directory enforcement. The resulting path is then passed into file reads through fileGetContents. With Show Debug Data enabled, the plugin surfaces the fetched contents in debug output, which confirms exploitation and leaks sensitive files such as wp-config.php and system files like /etc/passwd.
Understanding of LFI attack’s
Local File Inclusion in WordPress plugins is frequently high severity because core configuration and secrets are stored in predictable places and are readable by the PHP process. The best known target is wp-config.php which can contain database credentials, table prefix, salts, and third party API keys. On many hosts there are also environment files, backup archives, log files, and deployment metadata that contain secrets. Even a simple file like /etc/passwd provides usernames and service accounts that help attackers craft later attacks. In multi author WordPress sites, Authors are often treated as semi trusted content creators. They can publish posts and edit pages but they are not supposed to access server files. CVE-2026-4659 breaks that expectation by allowing content editing privileges to become a server secret extraction capability through a widget feature.
Exploiting the LFI Vulnerability
To exploit CVE-2026-4659, an attacker with Author+ cookies:
POC:
Log in as Author with Elementor edit access. Open any editable page in Elementor. Add the preconfigured widget from step 1. Open widget Content tab and section Items. Set Repeater Source to JSON / CSV. Set JSON or CSV Location to Url. Set Url with the JSON or CSV to http://site.origin/../../../../etc/passwd. Enable Show Debug Data. Update page and open frontend preview.____
The highest impact scenario is secret theft that leads to full compromise. If an attacker can read wp-config.php, they can obtain database credentials and salts, then pivot to database access, extract users, tamper content, and potentially take over the site. On managed hosts, reading environment files can reveal cloud access tokens, SMTP credentials, payment provider keys, and monitoring endpoints, expanding the blast radius beyond WordPress. The exploitation is also stealthy in a workflow sense because it looks like normal widget configuration activity, and the attacker can exfiltrate secrets through page previews rather than needing a dedicated download endpoint. On sites where many Authors exist, a single compromised Author account through phishing can become a server level breach, which is why this vulnerability should be treated as high severity even though it is authenticated.
Recommendations for Improved Security
The fix must enforce strict path validation and safe file access policy. The plugin should never treat an arbitrary URL as a filesystem path. If same domain URLs are supported for convenience, then the conversion must normalize the final path with realpath and enforce that it stays within an approved base directory such as uploads, and it must reject any path containing traversal sequences before conversion. The widget should read remote JSON or CSV only through the WordPress HTTP API with strict scheme validation and without falling back to filesystem reads. Debug output should never include raw fetched content, especially when it can originate from file reads, because it becomes an exfiltration mechanism. Site owners should restrict which roles can use advanced dynamic data sources, disable Show Debug Data on production, and review custom widgets that expose repeater URL ingestion controls. If exploitation is suspected, rotate database credentials and WordPress salts, because file disclosure means those secrets must be treated as compromised.
By taking proactive measures to address LFI like CVE-2026-4659 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #LFI #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website