Question 1

What versions of the Unlimited Elements For Elementor plugin are affected by these vulnerabilities?

Accepted Answer

What versions of the Unlimited Elements For Elementor plugin are affected by these vulnerabilities?

Versions up to and including 1.5.109 of the Unlimited Elements For Elementor plugin are affected by two critical vulnerabilities: CVE-2024-35674 (Information Exposure) and CVE-2024-5329 (Blind SQL Injection).

Question 2

How can attackers exploit these vulnerabilities?

Accepted Answer

How can attackers exploit these vulnerabilities?

The Information Exposure vulnerability (CVE-2024-35674) allows authenticated attackers with Contributor-level access and above to view password-protected posts. Meanwhile, the Blind SQL Injection vulnerability (CVE-2024-5329) enables authenticated attackers to execute arbitrary SQL queries, potentially accessing sensitive information from the database.

Question 3

What risks do these vulnerabilities pose to my website?

Accepted Answer

What risks do these vulnerabilities pose to my website?

These vulnerabilities pose significant risks, including unauthorized access to sensitive content and potential data theft. Attackers could exploit these flaws to compromise the integrity and security of your WordPress website.

Question 4

How can I check if my site has been compromised?

Accepted Answer

How can I check if my site has been compromised?

Monitor your website's post access logs for any unauthorized views and review database query logs for unusual activities. These can indicate potential exploitation attempts or unauthorized access attempts due to the vulnerabilities.

Question 5

What should I do if I suspect my site has been compromised?

Accepted Answer

What should I do if I suspect my site has been compromised?

If you suspect a compromise, immediately update the Unlimited Elements For Elementor plugin to version 1.5.110 or later. Consider temporarily disabling the plugin until the update is applied to prevent further risks.

Question 6

Is there an alternative plugin I can use while waiting to update?

Accepted Answer

Is there an alternative plugin I can use while waiting to update?

Consider using alternative plugins that offer similar functionalities as a temporary measure until the Unlimited Elements For Elementor plugin is updated and secured against these vulnerabilities.

Question 7

Why is it important to update my plugins regularly?

Accepted Answer

Why is it important to update my plugins regularly?

Regular updates ensure that your plugins are equipped with the latest security patches and enhancements. This helps mitigate risks associated with vulnerabilities and maintains the overall security of your WordPress site.

Question 8

How can I stay informed about plugin vulnerabilities in the future?

Accepted Answer

How can I stay informed about plugin vulnerabilities in the future?

Subscribe to security newsletters, follow WordPress security blogs, and enable notifications for plugin updates within your WordPress dashboard. These measures will keep you informed about any vulnerabilities and their fixes promptly.

Question 9

Has the plugin developer addressed similar vulnerabilities in the past?

Accepted Answer

Has the plugin developer addressed similar vulnerabilities in the past?

Yes, prior to these incidents, there have been 15 documented vulnerabilities in the Unlimited Elements For Elementor plugin since March 4, 2022. This history underscores the importance of proactive security measures and timely updates.

Question 10

What steps should I take to prevent future vulnerabilities?

Accepted Answer

What steps should I take to prevent future vulnerabilities?

In addition to updating plugins promptly, regularly audit and review your plugin usage. Remove any plugins that are no longer actively maintained or pose security risks. Implement strong access controls and monitor your website for any signs of unusual activity.

Security

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) Vulnerability – Authenticated (Contributor+) Information Exposure, Blind SQL Injection – CVE-2024-35674, CVE-2024-5329 | WordPress Plugin Vulnerability Report

Download Manager Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via wpdm_modal_login_form Shortcode – CVE-2024-4001 | WordPress Plugin Vulnerability Report

LearnPress – WordPress LMS Plugin Vulnerability – Basic Information Disclosure via JSON API – CVE-2024-5483 | WordPress Plugin Vulnerability Report

Brizy – Page Builder Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes and Widget Link To URL – CVE-2024-1161, CVE-2024-3667, CVE-2024-2087, CVE-2024-1164 | WordPress Plugin Vulnerability Report

EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via EmbedPress PDF Widget – CVE-2024-5571 | WordPress Plugin Vulnerability Report

Email Subscribers by Icegram Express Vulnerability – Unauthenticated SQL Injection via hash – CVE-2024-4295 | WordPress Plugin Vulnerability Report

Shield Security – Smart Bot Blocking & Intrusion Prevention Security Vulnerability – Cross-Site Request Forgery – CVE-2024-4344 | WordPress Plugin Vulnerability Report

wpDataTables Vulnerability – Missing Authorization to DataTable Access & Modification – CVE-2024-3821 | WordPress Plugin Vulnerability Report

Recent Blog Posts

WordPress 500 Internal Server Error: What It Means and How to Fix It

Yoast SEO – Advanced SEO with real-time guidance and built-in AI Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘jsonText’ Block Attribute – CVE-2026-3427 | WordPress Plugin Vulnerability Report

The Events Calendar Vulnerability – Missing Authorization to Authenticated (Subscriber+) Data Migration Control – CVE-2025-15043 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy