Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass

An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled. id: CVE-2020-13125 info...

CVE-2026-49052 WordPress ElementsKit Elementor addons Lite plugin <= 3.9.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementsKit Elementor addons Lite: from n/a through 3.9.6...

CVE-2025-0898

The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Arbitrary File Reading in all versions up to, and including, 1.4.7 via the Draw SVG widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on...

CVE-2026-9018

The Easy Elements for Elementor – Addons & Website Templates WordPress plugin (≤ 1.4.5) is vulnerable to Privilege Escalation via the easyel_handle_register() flow. The wp_ajax_nopriv_eel_register handler writes attacker-supplied custom_meta to new users via update_user_meta(), with no key whitel...

CVE-2025-15369 Xpro Addons — 140+ Widgets for Elementor <= 1.5.0 - Missing Authorization to Unauthenticated Xpro Template Creation

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getcontenteditor function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to create...

CVE-2026-7284

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress (up to version 1.4.4) is affected by unauthenticated privilege escalation. The issue arises from the easyel_handle_register function not restricting the allowed user roles during registration, enabling an attacker t...

EUVD-2026-31019

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.4.4. This is due to the 'easyelhandleregister' function not restricting what user roles a user can register with...

PT-2026-42071

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.4.4. This is due to the 'easyel handle register' function not restricting what user roles a user can register with...

EUVD-2026-30261

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titletag' parameter in all versions up to, and including, 1.7.1058 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...

CVE-2026-5193

Vulnerability summary (CVE-2026-5193) : The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is susceptible to privilege escalation in all versions up to and including 6.5.13. The root cause is insufficient role validation in the register_user function, ...

CVE-2026-3425

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' parameter of the 'getcontent' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to include and...

CVE-2026-4362 ElementsKit Elementor Addons <= 3.8.2 - Missing Authorization to Unauthenticated Widget Content Overwrite

The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the LiveAction::reset function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress init action and triggers when both post...

CVE-2026-6229

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to 1.7.1057. The root cause is insufficient validation of user-supplied URLs in render_csv_data(), which can be bypassed by including docs.google.com/spreadsheets in a query paramete...

PT-2026-36610

The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom svg' parameter in versions up to, and including, 4.11.70 due to insufficient input sanitization and output escaping. This makes it possible f...

WordPress Restaurant & Cafe Addon for Elementor plugin <= 1.5.8 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Restaurant & Cafe Addon for Elementor versions = 1.5.8...

CVE-2026-5428

The CVE concerns the Royal Elementor Addons for WordPress (Image Grid/Slider/Carousel widget) with versions ≤ 1.7.1056. The root cause is insufficient output escaping in render_post_thumbnail(), where wp_kses_post() is used for the alt attribute context instead of escaping, enabling Stored Cross-...

CVE-2026-39500

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Themesflat themesflat-addons-for-elementor themesflat-addons-for-elementor allows Stored XSS.This issue affects themesflat-addons-for-elementor: from n/a through = 2.3.2...

CVE-2026-39703

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in wpbits WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through = 1.8.1...

CVE-2026-39703 WordPress WPBITS Addons For Elementor Page Builder plugin <= 1.8.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in wpbits WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through = 1.8.1...

CVE-2026-25398

Missing Authorization vulnerability in Webilia Inc. Vertex Addons for Elementor addons-for-elementor-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vertex Addons for Elementor: from n/a through = 1.6.4...