CVE-2026-4362

ElementsKit Elementor Addons for WordPress (up to version 3.8.2) is affected by an unauthenticated data-modification vulnerability. The root cause is a missing capability check in Live_Action::reset(), which is hooked to WordPress init and triggered when both post and action=elementor are present...

CVE-2026-4341

CVE-2026-4341 covers a Stored Cross-Site Scripting vulnerability in the Prime Slider – Addons for Elementor plugin for WordPress (versions up to and including 4.1.10). The root cause is insufficient input sanitization and output escaping in the Mount widget’s render_social_link() function, which ...

CVE-2026-2949

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Icon Box widget in versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-1397

Summary: The PQ Addons – Creative Elementor Widgets plugin for WordPress is vulnerable to a Stored Cross-Site Scripting (XSS) via widget attributes in all versions up to and including 1.0.0, caused by insufficient input sanitization and output escaping on the html_tag parameter in the PQ Section ...

WordPress Jeg Elementor Kit plugin <= 2.6.4 - Authenticated (Contributor+) Cross-Site Scripting via Elementor Widget URL Custom Attributes vulnerability

Authenticated Contributor+ Cross-Site Scripting via Elementor Widget URL Custom Attributes vulnerability discovered by Webbernaut in WordPress Plugin Jeg Elementor Kit versions = 2.6.4...

CVE-2025-13393

The Featured Image from URL FIFU plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize function in the Elementor widget integration. This...

CVE-2025-13393

The Featured Image from URL FIFU plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize function in the Elementor widget integration. This...

CVE-2025-13393 Featured Image from URL (FIFU) <= 5.3.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'fifu_input_url'

The Featured Image from URL FIFU plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize function in the Elementor widget integration. This...

CVE-2025-13393 Featured Image from URL (FIFU) <= 5.3.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'fifu_input_url'

The Featured Image from URL FIFU plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize function in the Elementor widget integration. This...

CVE-2025-13393

CVE-2025-13393 (FIFU SSRF) : The WordPress Featured Image from URL (FIFU) plugin (versions ≤ 5.3.1) is vulnerable to Server-Side Request Forgery via the FIFU input URL parameter in the FIFU Elementor widget. Exploitation requires authenticated access at Contributor level or higher and Elementor p...

EUVD-2026-1844

The Featured Image from URL FIFU plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize function in the Elementor widget integration. This...

PT-2026-1702

Name of the Vulnerable Software and Affected Versions Featured Image from URL FIFU plugin for WordPress versions up to and including 5.3.1 Description The software contains a Server-Side Request Forgery issue due to inadequate validation of user-supplied URLs before they are passed to the...

WordPress plugin Featured Image from URL 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A code issue...

CVE-2024-39644

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Modernaweb Studio Black Widgets For Elementor allows Stored XSS.This issue affects Black Widgets For Elementor: from n/a through 1.3.5...

EUVD-2025-38372

The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Action widget in versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user-supplied values. This makes it possible for authenticated...

EUVD-2024-27865

Malicious code in bioql PyPI...

EUVD-2024-45093

Malicious code in bioql PyPI...

CVE-2025-48354

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WP Smart Widgets Better Post & Filter Widgets for Elementor better-post-filter-widgets-for-elementor allows Stored XSS.This issue affects Better Post & Filter Widgets for Elementor: from n/a throug...

CVE-2025-8619 OSM Map Widget for Elementor <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button URL

The OSM Map Widget for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Map Block URL in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-8603

CVE-2025-8603 affects the WordPress plugin “Unlimited Elements For Elementor” (Auth Contributor+). Root cause: insufficient input sanitization and output escaping in multiple widgets, enabling stored XSS. Impact: authenticated attackers can inject scripts that run when other users visit the injec...