How is CVE-2026-27041 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP/HTTPS to deliver a malicious file upload request. Authentication (required): A low-privilege contributor account on the WordPress site is sufficient; no administrative or elevated privileges are needed beyond that basic authenticated role. Victim interaction (not-required): No action from another user or administrator is needed; the attacker operates entirely on their own once they have contributor-level credentials. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and straightforward with no race conditions, special memory layouts, or other unpredictable environmental factors required.

What is the impact of CVE-2026-27041?

An attacker uploads an arbitrary file (such as a PHP webshell) and executes it on the server, gaining remote code execution on the underlying host. Full read access to all data on the WordPress installation is gained, including database credentials, user records, and any stored secrets. An attacker can modify or delete persisted files, database rows, and site content, resulting in complete integrity loss across the application. The attacker can crash or destabilize the service, causing a full denial of availability for the site and any co-hosted applications.

Back to search

CRITICALCVE-2026-27041Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-27041: WordPress Unlimited Elements for Elementor (Premium) plugin <= 2.0.6 - Arbitrary File Upload vulnerability

Q: What is CVE-2026-27041?

An arbitrary file upload vulnerability affects the Unlimited Elements for Elementor (Premium) WordPress plugin at version 2.0.6 and earlier. The flaw is reachable over the network and requires only a low-privilege contributor account, meaning any registered contributor on an affected WordPress site can exploit it without any additional interaction from other users. Successful exploitation gives an attacker full control over confidentiality, integrity, and availability of the host, including the ability to upload and execute malicious files for remote code execution. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as the upstream vendor ships a fix.

Q: Is CVE-2026-27041 patched?

Because no upstream fix version has been published, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, compensating-control recommendations are surfaced in the finding detail to help customers reduce exposure.

Contributor Arbitrary File Upload in Unlimited Elements for Elementor (Premium) <= 2.0.6 versions.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary file upload vulnerability affects the Unlimited Elements for Elementor (Premium) WordPress plugin at version 2.0.6 and earlier. The flaw is reachable over the network and requires only a low-privilege contributor account, meaning any registered contributor on an affected WordPress site can exploit it without any additional interaction from other users. Successful exploitation gives an attacker full control over confidentiality, integrity, and availability of the host, including the ability to upload and execute malicious files for remote code execution. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as the upstream vendor ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including Patchstack) within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle this plugin.

Available

Triage

HarborGuard scores this issue at CVSS 9.9 Critical and surfaces it with that weight applied against each customer org's compliance policy, routing the finding to the appropriate team inbox for immediate review.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, compensating-control recommendations are surfaced in the finding detail to help customers reduce exposure.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP/HTTPS to deliver a malicious file upload request.
AuthenticationRequired
A low-privilege contributor account on the WordPress site is sufficient; no administrative or elevated privileges are needed beyond that basic authenticated role.
Victim interactionNot required
No action from another user or administrator is needed; the attacker operates entirely on their own once they have contributor-level credentials.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and straightforward with no race conditions, special memory layouts, or other unpredictable environmental factors required.

Blast Radius

An attacker uploads an arbitrary file (such as a PHP webshell) and executes it on the server, gaining remote code execution on the underlying host.
Full read access to all data on the WordPress installation is gained, including database credentials, user records, and any stored secrets.
An attacker can modify or delete persisted files, database rows, and site content, resulting in complete integrity loss across the application.
The attacker can crash or destabilize the service, causing a full denial of availability for the site and any co-hosted applications.

How HarborGuard Handles This

Available on HarborGuard: because no vendor fix exists for CVE-2026-27041 at this time, the advisory is re-evaluated on every ingest cycle so that a patched-image rebuild becomes available automatically the moment Unlimited Elements for Elementor (Premium) ships a remediated release. While awaiting an upstream fix, the finding detail surfaces compensating controls including network-policy isolation to restrict inbound access to WordPress upload endpoints, egress filtering to prevent outbound callbacks from a dropped webshell, and disabling contributor-level file upload capabilities via a feature flag or role-capability override if the application permits it. For customers with auto-remediation enabled, a rebuild and regression run will be triggered and a PR opened against affected workloads as soon as a fix version is published, with a typical median time from CVE patch availability to merged PR of around 90 minutes for Critical-severity issues.

See how HarborGuard automates this

Affected packages

Studio Keren Aga LTD. / Unlimited Elements for Elementor (Premium)
≤ 2.0.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified