External risk intelligence

Elementor Unlimited Elements Arbitrary File Upload Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-27041

A WordPress plugin allows contributor-level users to upload arbitrary files, potentially enabling unauthorized code execution or site compromise. The risk is amplified because this plugin extends website functionality, making it a core component of public-facing web applications. Confirmation of its use and exposure on

Unrestricted File Upload

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability exists in a WordPress plugin used to extend website functionality. Such plugins are core components of web applications, which are typically deployed as public-facing web services. While it requires a contributor-level account, the plugin itself is part of an internet-facing web platform, making it commonly accessible via the public internet in its standard deployment.

Horizon Alert

Summary of the vulnerability and why it matters

A security issue has been identified in a WordPress plugin that allows for contributor-level users to upload arbitrary files. This vulnerability could potentially allow unauthorized code execution or modification on affected websites. The main concern is confirming whether this specific plugin is in use and exposed.

  • Allows unauthorized file uploads by contributors.
  • Significant potential for site compromise if used.
  • Confirm relevance and exposure of this plugin.

Attack Path

How an attacker could exploit the issue

An attacker with contributor-level access to a website using the vulnerable plugin can upload arbitrary files. This capability could allow them to upload malicious files, potentially leading to the execution of arbitrary code and full compromise of the website.

  • Requires contributor-level access.
  • Uploads arbitrary files.
  • Leads to remote code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to upload arbitrary files to a website when supported by the advisory, potentially leading to unauthorized code execution or data manipulation. The risk is amplified because the affected plugin extends website functionality, making it a core component of public-facing web applications.

  • Arbitrary file upload to website.
  • Unauthenticated attacker can upload files.
  • Website compromise and data exposure.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in a WordPress plugin affects websites using the Unlimited Elements for Elementor Premium plugin. Platform or web administration teams are likely responsible for managing website plugins and should initiate the first steps by identifying all instances of this plugin, assessing their exposure and business criticality, and locating the accountable owner for remediation.

  • Ownership: Web platform and security teams.
  • Verify: Plugin presence and exposure.
  • Action: Plan remediation with owners.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-27041 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability, an arbitrary file upload in the Unlimited Elements for Elementor Premium plugin, could lead to a bypass of security controls or remote code execution, making it relevant for PCI scanning.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Unlimited Elements for Elementor Premium plugin?

It is a WordPress extension that provides extra widgets, design elements, and functionality to the Elementor page builder. Site administrators and designers use it to create complex website layouts without writing custom code. Because it integrates directly into the WordPress dashboard and content management workflow, it becomes a core part of how a site's visual components are built and managed.

How does CWE-434 relate to CVE-2026-27041?

CVE-2026-27041 is classified under CWE-434, which refers to Unrestricted Upload of File with Dangerous Type. In this context, it means the plugin fails to properly validate the files being uploaded to the server. An attacker can exploit this weakness to upload files that the server might then execute as code, granting the attacker unauthorized control over the website's functions and data.

Does this vulnerability trigger if I do not have a contributor account?

The vulnerability specifically requires an attacker to have a contributor-level account on the WordPress site to initiate the file upload. It does not trigger for unauthenticated visitors or users with lower-level permissions, such as subscribers. If an attacker cannot authenticate as a contributor or higher, they cannot utilize this specific upload mechanism to compromise the site.

Is my website at risk if it uses this plugin?

According to Halo Surface Signal, this plugin is typically part of internet-facing web applications. If your site is public-facing and runs this software, it is considered accessible via the internet, increasing the potential risk. You should evaluate whether the plugin is necessary for your operations and determine if it is reachable by untrusted users who might have, or could gain, contributor access.

What should I do first to address this security concern?

Start by identifying every WordPress instance in your environment that has the Unlimited Elements for Elementor Premium plugin installed. Once you have a complete inventory, verify the version in use to see if it falls within the affected range. Coordinate with your web administration team to assess the criticality of these sites and plan for necessary updates or removal of the plugin to mitigate the risk of unauthorized file uploads.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished