PT-2025-54283

The Ultimate Post Kit Addons for Elementor WordPress plugin before 4.0.16 exposes multiple AJAX “load more” endpoints such as upk alex grid loadmore posts without ensuring that posts to be displayed are published authentication. This allows an unauthenticated attacker to query arbitrary posts and...

CVE-2025-9978

CVE-2025-9978 affects the Jeg Kit for Elementor WordPress plugin prior to 2.7.0. The vulnerability arises because SVG file contents are not sanitized when uploaded via xmlrpc.php, enabling cross-site scripting (XSS). Multiple sources corroborate the issue and specify the vulnerable version range ...

EUVD-2023-12359

Malicious code in bioql PyPI...

EUVD-2022-52063

Malicious code in bioql PyPI...

CVE-2025-8081

The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the ImportImages::import function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access an...

CVE-2025-8081

Summary (CVE-2025-8081) The Elementor WordPress plugin (versions ≤ 3.30.2) is vulnerable to an arbitrary file read via the Import_Images::import() path traversal due to insufficient validation of the uploaded file reference (tmp_name). The underlying issue allowed authenticated administrators to ...

CVE-2024-13113

The Countdown Timer for Elementor WordPress plugin before 1.3.7 does not sanitise and escape some parameters when outputting them on the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks...

CVE-2024-5666

CVE-2024-5666 affects Extensions for Elementor (WordPress) by vulnerability in the EE Button widget’s url parameter, enabling Stored XSS via insufficient input sanitization and output escaping. Affected versions: all up to and including 2.0.30. Exploitation requires authenticated access (Contribu...

PT-2024-17933 · Grafana · Grafana

Name of the Vulnerable Software and Affected Versions: Countdown Timer for Elementor WordPress plugin versions prior to 1.3.7 Description: The issue concerns the Countdown Timer for Elementor WordPress plugin, where versions prior to 1.3.7 do not properly sanitise and escape some parameters when...

Cross site scripting

The PowerPack Addons for Elementor WordPress plugin before 2.6.2 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting issue...

CVE-2021-25027

CVE-2021-25027 affects the WordPress plugin PowerPack Addons for Elementor (versions before 2.6.2). The issue is a failure to escape the tab parameter when outputting it back into an HTML attribute in the admin dashboard, resulting in a reflected Cross-Site Scripting vulnerability. Impact describ...

CVE-2021-24292

The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site ScriptingXSS by lower-privileged users such as contributors, all via a similar method: The “Card” widget...

Cross site scripting

The “Elementor – Header, Footer & Blocks Template” WordPress Plugin before 1.5.8 has two widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method...

CVE-2020-20634

Elementor 2.9.5 and below WordPress plugin allows authenticated users to activate its safe mode feature. This can be exploited to disable all security plugins on the blog...