7 matches found
CVE-2020-26596
CVE-2020-26596 affects the Dynamic OOO widget in Elementor Pro for WordPress up to version 3.0.5. It permits remote authenticated users with the Editor role to upload executable PHP code via the PHP Raw snippet, enabling arbitrary code execution. Mitigation suggested in the description is to remo...
CVE-2023-3124
The CVE-2023-3124 entry concerns the WordPress Elementor Pro plugin. A missing capability check in the update_page_option function (versions up to and including 3.11.6) allows authenticated users with subscriber-level capabilities to modify arbitrary site options, enabling privilege escalation. A...
CVE-2024-35656
CVE-2024-35656 is an input handling flaw in Elementor Pro (WordPress) that enables Reflected XSS in the Elementor Website Builder Pro up to version 3.21.2. The issue occurs during web page generation and affects Elementor Pro releases prior to the patched version. The connected documents identify...
CVE-2024-1521
CVE-2024-1521 affects the Elementor Website Builder Pro plugin for WordPress. It enables Stored Cross-Site Scripting through an SVGZ file uploaded via the Form widget in all versions up to and including 3.20.1, due to insufficient input sanitization and output escaping. Exploitation requires auth...
CVE-2024-2121
The CVE CVE-2024-2121 affects the Elementor Website Builder Pro WordPress plugin. It enables Stored Cross-Site Scripting via the Media Carousel widget in all versions up to 3.20.1, caused by insufficient input sanitization and output escaping on user-supplied attributes. Attackers with contributo...
CVE-2024-1364
CVE-2024-1364 – Elementor Website Builder Pro : Stored XSS in the WordPress plugin via the widget’s custom_id in all versions up to 3.20.1. Root cause: insufficient input sanitization and output escaping of user-supplied attributes. Exploitation requires authentication at contributor level or hig...
CVE-2024-2781
The vulnerability CVE-2024-2781 affects Elementor Website Builder Pro for WordPress. It is a Stored XSS in the video_html_tag attribute, present in all versions up to and including 3.20.1, caused by insufficient input sanitization and output escaping. The impact, as stated, is that authenticated ...