37 matches found
CVE-2023-47504
CVE-2023-47504 affects Elementor Website Builder (
CVE-2023-48777
Elementor Website Builder is affected by CVE-2023-48777: Unrestricted file upload to RCE via template import in versions 3.3.0–3.18.1. Exploitation requires Contributor-level access (Authenticated). The root cause involves handle_elementor_upload saving uploaded files to a temporary location befo...
CVE-2023-0329
CVE-2023-0329 affects the Elementor Website Builder WordPress plugin prior to 3.12.2. The issue is a SQL injection caused by improper sanitization/escaping of the Replace URL parameter in the Tools module before it is used in a SQL statement. Exploitation requires privileges of an Administrator, ...
CVE-2022-1329
Elementor Website Builder WordPress plugin versions 3.6.0–3.6.2 are affected by CVE-2022-1329 due to a missing capability check in core/app/modules/onboarding/module.php, enabling unauthorized execution of several AJAX actions, modification of site data, and uploading of malicious files that can ...
CVE-2024-24934
CVE-2024-24934 (Elementor Website Builder) : Affected plugin versions are Elementor Website Builder
CVE-2022-29455
Summary: WordPress Elementor Website Builder plugin ≤ 3.5.5 is affected by a DOM-based Reflected XSS vulnerability. The issue arises in the plugin’s frontend DOM handling, enabling attacker-controlled script execution in the victim’s browser. Impact: potential arbitrary JavaScript execution in th...
CVE-2022-4953
The CVE describes a vulnerability in the Elementor Website Builder WordPress plugin, affecting versions prior to 3.5.5, where user-controlled URLs loaded into the DOM are not properly filtered, enabling injection of rogue iframes to malicious URLs. Affected product: WordPress Elementor Website Bu...
CVE-2024-4619
CVE-2024-4619 affects Elementor Website Builder – More than Just a Page Builder for WordPress. The vulnerability is DOM-based Stored XSS in the hover_animation parameter, Web impact per sources: attacker with contributor+ permissions can inject scripts that execute when users load the affected pa...
CVE-2024-2117
CVE-2024-2117 affects Elementor Website Builder – More than Just a Page Builder (WordPress) via the Path Widget. All versions up to 3.20.2 are vulnerable due to insufficient output escaping on user-supplied attributes, enabling stored XSS. Exploitation requires an authenticated attacker with cont...
CVE-2024-13445
CVE-2024-13445 affects the WordPress plugin “Elementor Website Builder – More Than Just a Page Builder” (Elementor) and is a Stored XSS vulnerability exploitable by authenticated users with Contributor+ that targets border, margin, and gap parameters. The issue arises from insufficient input sani...
CVE-2024-5416
The CVE-2024-5416 entry concerns the Elementor Website Builder – More than Just a Page Builder WordPress plugin (
CVE-2024-37437
CVE-2024-37437 affects Elementor Website Builder (WordPress plugin) up to version 3.22.1. Root cause: improper restriction of pathnames leading to a Path Traversal; impact includes arbitrary SVG download and potential Cross-Site Scripting (stored XSS) as indicated by multiple sources. Mitigation:...
CVE-2024-8236
The CVE-2024-8236 entry concerns Elementor Website Builder for WordPress (versions
CVE-2023-47505
CVE-2023-47505 affects Elementor Website Builder (WordPress plugin)
CVE-2024-8494
The CVE concerns Elementor Website Builder Pro for WordPress. Affected: all versions up to and including 3.25.10. Issue: authenticated attackers with Contributor+ access can exploit the elementor-template shortcode to exfiltrate sensitive information from Private, Pending, and Draft Templates (Se...
CVE-2025-8081
Summary (CVE-2025-8081) The Elementor WordPress plugin (versions ≤ 3.30.2) is vulnerable to an arbitrary file read via the Import_Images::import() path traversal due to insufficient validation of the uploaded file reference (tmp_name). The underlying issue allowed authenticated administrators to ...
CVE-2024-0506
Elementor Website Builder for WordPress (WordPress plugin) is vulnerable to Cross‑Site Scripting via the get_image_alt path in versions
CVE-2020-7109
CVE-2020-7109 affects the Elementor Page Builder plugin for WordPress (versions prior to 2.8.4). The underlying issue is failure to sanitize data when creating a new template, which can enable Cross-Site Scripting (XSS) or related input-handling risks. Public references (NVD/Red Hat/PRION/OpenVAS...
CVE-2020-8426
CVE-2020-8426 describes a reflected XSS in the WordPress Elementor Page Builder plugin (versions prior to 2.8.5) on the elementor-system-info page. The vulnerability is exploitable by an authenticated user; no public exploit details are provided in the supplied documents. Affected component is th...
CVE-2024-54444
CVE-2024-54444 is a stored Cross-Site Scripting vulnerability in the WordPress plugin Elementor Website Builder (affected:
CVE-2023-33922
CVE-2023-33922 concerns the WordPress plugin Elementor Website Builder (affected: versions
CVE-2024-6757
CVE-2024-6757 : Elementor Website Builder for WordPress ( 3.23.5, with Patchstack noting fixed in 3.24.6; Wordfence/Red Hat references align on patching. Short-term mitigations include restricting access to the affected function. The vulnerability is categorized as Medium risk per available data,...
CVE-2021-24891
The CVE-2021-24891 entry concerns the WordPress Elementor Website Builder plugin: versions prior to 3.4.8 contain a DOM-based XSS due to input being appended to the DOM without proper sanitization/escaping of a malicious hash. In practice, this can allow arbitrary JavaScript execution in the vict...
CVE-2024-4107
Technical details about CVE-2024-4107 are not publicly provided in the supplied documents. Monitoring for updates is recommended.
CVE-2024-10453
CVE-2024-10453 concerns the vulnerability in Elementor Website Builder – More Than Just a Page Builder . The vulnerability is a Stored Cross-Site Scripting issue in the plugin’s Typography Settings, arising from insufficient input sanitization and output escaping on user-supplied attributes. It a...
CVE-2020-36171
CVE-2020-36171 concerns the Elementor Website Builder plugin for WordPress. Affected: WordPress plugins prior to version 3.0.14 . Root cause: incomplete validation/restriction of uploaded SVG files, enabling potentially unsafe SVG uploads. Reported impact includes security concerns such as possib...
CVE-2025-3075
CVE-2025-3075 affects the WordPress plugin “Elementor Website Builder – More Than Just a Page Builder” up to version 3.29.0, via a Stored Cross-Site Scripting flaw in the elementor-element shortcode caused by insufficient input sanitization and output escaping of user attributes. Exploitation req...
CVE-2020-15020
Technical details are not publicly available in the provided connected documents for CVE-2020-15020. The initial description notes a stored XSS in Elementor up to version 2.9.13 via Name Your Template. Monitor for official updates and patches.
CVE-2024-2120
The CVE-2024-2120 vulnerability affects Elementor Website Builder – More than Just a Page Builder for WordPress. It enables Stored XSS via the Post Navigation widget in all versions up to 3.20.1, caused by insufficient input sanitization and output escaping on user-supplied attributes. Authentica...
CVE-2021-24206
CVE-2021-24206 affects the Elementor Website Builder WordPress plugin prior to 3.1.4. The image box widget (image-box.php) accepts a title_size parameter that is not properly sanitized. An authenticated user with Contributor+ can submit a modified save_builder request containing JavaScript in tit...
CVE-2020-20634
CVE-2020-20634 affects the Elementor WordPress plugin, versions 2.9.5 and below. The issue allows authenticated users to activate the plugin’s Safe Mode feature, which can be exploited to disable all security plugins on the blog. This is an authentication‑required privilege escalation affecting p...
CVE-2021-24203
CVE-2021-24203 describes an authenticated stored XSS in the Elementor Website Builder WordPress plugin prior to 3.1.4. The divider widget’s divider.php path accepts an html_tag parameter; an attacker with Contributor+ permissions can modify a save_builder request to set html_tag to script and inc...
CVE-2020-36703
The CVE-2020-36703 entry concerns the Elementor Website Builder WordPress plugin. It documents a Stored Cross-Site Scripting (XSS) flaw in SVG image uploads for versions up to and including 2.9.7. The underlying issue allows authenticated attackers with the upload_files capability to inject arbit...
CVE-2021-24201
Vulnerability summary (CVE-2021-24201): In the Elementor Website Builder WordPress plugin prior to 3.1.4, the column element (includes/elements/column.php) accepts an html_tag parameter. A user with Contributor+ permissions can send a modified save_builder request containing JavaScript in html_ta...
CVE-2021-24205
The CVE applies to the Elementor Website Builder WordPress plugin (before 3.1.4). The icon box widget’s title_size parameter can be exploited by a user with Contributor+ permissions via a modified save_builder request, enabling stored XSS because the JavaScript is not filtered/escaped and execute...
CVE-2021-24204
The CVE concerns Elementor Website Builder WordPress plugin prior to 3.1.4. The accordion widget (includes/widgets/accordion.php) accepts a title_html_tag parameter, which was not properly filtered. A user with Contributor or higher permissions can craft a modified save_builder request containing...
CVE-2021-24202
CVE-2021-24202 affects the Elementor Website Builder WordPress plugin (before 3.1.4). The heading widget’s header_size parameter is exploitable when an authenticated user (Contributor or higher) sends a modified save_builder payload, setting header_size to script and a title containing JavaScript...