27 matches found
CVE-2023-47504
CVE-2023-47504 affects Elementor Website Builder (
CVE-2023-0329
CVE-2023-0329 affects the Elementor Website Builder WordPress plugin prior to 3.12.2. The issue is a SQL injection caused by improper sanitization/escaping of the Replace URL parameter in the Tools module before it is used in a SQL statement. Exploitation requires privileges of an Administrator, ...
CVE-2024-24934
CVE-2024-24934 (Elementor Website Builder) : Affected plugin versions are Elementor Website Builder
CVE-2022-4953
The CVE describes a vulnerability in the Elementor Website Builder WordPress plugin, affecting versions prior to 3.5.5, where user-controlled URLs loaded into the DOM are not properly filtered, enabling injection of rogue iframes to malicious URLs. Affected product: WordPress Elementor Website Bu...
CVE-2024-2117
CVE-2024-2117 affects Elementor Website Builder – More than Just a Page Builder (WordPress) via the Path Widget. All versions up to 3.20.2 are vulnerable due to insufficient output escaping on user-supplied attributes, enabling stored XSS. Exploitation requires an authenticated attacker with cont...
CVE-2024-4619
CVE-2024-4619 affects Elementor Website Builder – More than Just a Page Builder for WordPress. The vulnerability is DOM-based Stored XSS in the hover_animation parameter, Web impact per sources: attacker with contributor+ permissions can inject scripts that execute when users load the affected pa...
CVE-2024-13445
CVE-2024-13445 affects the WordPress plugin “Elementor Website Builder – More Than Just a Page Builder” (Elementor) and is a Stored XSS vulnerability exploitable by authenticated users with Contributor+ that targets border, margin, and gap parameters. The issue arises from insufficient input sani...
CVE-2024-5416
The CVE-2024-5416 entry concerns the Elementor Website Builder – More than Just a Page Builder WordPress plugin (
CVE-2024-37437
CVE-2024-37437 affects Elementor Website Builder (WordPress plugin) up to version 3.22.1. Root cause: improper restriction of pathnames leading to a Path Traversal; impact includes arbitrary SVG download and potential Cross-Site Scripting (stored XSS) as indicated by multiple sources. Mitigation:...
CVE-2025-8081
Summary (CVE-2025-8081) The Elementor WordPress plugin (versions ≤ 3.30.2) is vulnerable to an arbitrary file read via the Import_Images::import() path traversal due to insufficient validation of the uploaded file reference (tmp_name). The underlying issue allowed authenticated administrators to ...
CVE-2024-8494
The CVE concerns Elementor Website Builder Pro for WordPress. Affected: all versions up to and including 3.25.10. Issue: authenticated attackers with Contributor+ access can exploit the elementor-template shortcode to exfiltrate sensitive information from Private, Pending, and Draft Templates (Se...
CVE-2024-0506
Elementor Website Builder for WordPress (WordPress plugin) is vulnerable to Cross‑Site Scripting via the get_image_alt path in versions
CVE-2020-7109
CVE-2020-7109 affects the Elementor Page Builder plugin for WordPress (versions prior to 2.8.4). The underlying issue is failure to sanitize data when creating a new template, which can enable Cross-Site Scripting (XSS) or related input-handling risks. Public references (NVD/Red Hat/PRION/OpenVAS...
CVE-2020-8426
CVE-2020-8426 describes a reflected XSS in the WordPress Elementor Page Builder plugin (versions prior to 2.8.5) on the elementor-system-info page. The vulnerability is exploitable by an authenticated user; no public exploit details are provided in the supplied documents. Affected component is th...
CVE-2023-33922
CVE-2023-33922 concerns the WordPress plugin Elementor Website Builder (affected: versions
CVE-2024-6757
CVE-2024-6757 : Elementor Website Builder for WordPress ( 3.23.5, with Patchstack noting fixed in 3.24.6; Wordfence/Red Hat references align on patching. Short-term mitigations include restricting access to the affected function. The vulnerability is categorized as Medium risk per available data,...
CVE-2021-24891
The CVE-2021-24891 entry concerns the WordPress Elementor Website Builder plugin: versions prior to 3.4.8 contain a DOM-based XSS due to input being appended to the DOM without proper sanitization/escaping of a malicious hash. In practice, this can allow arbitrary JavaScript execution in the vict...
CVE-2024-4107
Technical details about CVE-2024-4107 are not publicly provided in the supplied documents. Monitoring for updates is recommended.
CVE-2020-36171
CVE-2020-36171 concerns the Elementor Website Builder plugin for WordPress. Affected: WordPress plugins prior to version 3.0.14 . Root cause: incomplete validation/restriction of uploaded SVG files, enabling potentially unsafe SVG uploads. Reported impact includes security concerns such as possib...
CVE-2025-3075
CVE-2025-3075 affects the WordPress plugin “Elementor Website Builder – More Than Just a Page Builder” up to version 3.29.0, via a Stored Cross-Site Scripting flaw in the elementor-element shortcode caused by insufficient input sanitization and output escaping of user attributes. Exploitation req...
CVE-2024-2120
The CVE-2024-2120 vulnerability affects Elementor Website Builder – More than Just a Page Builder for WordPress. It enables Stored XSS via the Post Navigation widget in all versions up to 3.20.1, caused by insufficient input sanitization and output escaping on user-supplied attributes. Authentica...
CVE-2021-24206
CVE-2021-24206 affects the Elementor Website Builder WordPress plugin prior to 3.1.4. The image box widget (image-box.php) accepts a title_size parameter that is not properly sanitized. An authenticated user with Contributor+ can submit a modified save_builder request containing JavaScript in tit...
CVE-2021-24203
CVE-2021-24203 describes an authenticated stored XSS in the Elementor Website Builder WordPress plugin prior to 3.1.4. The divider widget’s divider.php path accepts an html_tag parameter; an attacker with Contributor+ permissions can modify a save_builder request to set html_tag to script and inc...
CVE-2021-24201
Vulnerability summary (CVE-2021-24201): In the Elementor Website Builder WordPress plugin prior to 3.1.4, the column element (includes/elements/column.php) accepts an html_tag parameter. A user with Contributor+ permissions can send a modified save_builder request containing JavaScript in html_ta...
CVE-2021-24204
The CVE concerns Elementor Website Builder WordPress plugin prior to 3.1.4. The accordion widget (includes/widgets/accordion.php) accepts a title_html_tag parameter, which was not properly filtered. A user with Contributor or higher permissions can craft a modified save_builder request containing...
CVE-2021-24205
The CVE applies to the Elementor Website Builder WordPress plugin (before 3.1.4). The icon box widget’s title_size parameter can be exploited by a user with Contributor+ permissions via a modified save_builder request, enabling stored XSS because the JavaScript is not filtered/escaped and execute...
CVE-2021-24202
CVE-2021-24202 affects the Elementor Website Builder WordPress plugin (before 3.1.4). The heading widget’s header_size parameter is exploitable when an authenticated user (Contributor or higher) sends a modified save_builder payload, setting header_size to script and a title containing JavaScript...