Elementor Website Builder
by WordPress
Source repositories
CVEs (39)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-1329 | Hig | 0.68 | 8.8 | 0.93 | Apr 19, 2022 | The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to… | ||
| CVE-2023-48777 | Cri | 0.65 | 9.9 | 0.04 | Mar 26, 2024 | Unrestricted Upload of File with Dangerous Type vulnerability in Elementor.Com Elementor Website Builder.This issue affects Elementor Website Builder: from 3.3.0 through 3.18.1. | ||
| CVE-2024-24934 | Hig | 0.55 | 8.5 | 0.01 | May 17, 2024 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Elementor Elementor Website Builder allows Manipulating Web Input to File System Calls.This issue affects Elementor Website Builder: from n/a through 3.19.0. | ||
| CVE-2023-0329 | Hig | 0.48 | 7.2 | 0.20 | May 30, 2023 | The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role. | ||
| CVE-2025-3075 | Med | 0.42 | 6.4 | 0.00 | Jul 29, 2025 | The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'elementor-element' shortcode in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output… | ||
| CVE-2025-3076 | Med | 0.42 | 6.4 | 0.00 | Jun 10, 2025 | The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_text’ parameter in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping. This makes it possible for… | ||
| CVE-2024-54444 | Med | 0.42 | 6.5 | 0.00 | Feb 25, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Elementor Website Builder elementor allows Stored XSS.This issue affects Elementor Website Builder: from n/a through <= 3.25.10. | ||
| CVE-2024-13445 | Med | 0.42 | 6.4 | 0.00 | Feb 20, 2025 | The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the border, margin and gap parameters in all versions up to, and including, 3.27.4 due to insufficient input sanitization and output escaping.… | ||
| CVE-2024-10453 | Med | 0.42 | 6.4 | 0.00 | Dec 21, 2024 | The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typography Settings in all versions up to, and including, 3.25.9 due to insufficient input sanitization and output escaping on user… | ||
| CVE-2024-8236 | Med | 0.42 | 6.4 | 0.00 | Nov 26, 2024 | The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter of the Icon widget in all versions up to, and including, 3.25.7 due to insufficient input sanitization and output… | ||
| CVE-2024-4107 | Med | 0.42 | 6.4 | 0.00 | May 14, 2024 | The Elementor Website Builder – More than Just a Page Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in versions up to, and including, 3.21.0 due to insufficient input sanitization and output escaping. This makes it… | ||
| CVE-2023-47504 | Med | 0.42 | 6.5 | 0.01 | Apr 24, 2024 | Improper Authentication vulnerability in Elementor Elementor Website Builder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Elementor Website Builder: from n/a through 3.16.4. | ||
| CVE-2024-2117 | Med | 0.42 | 6.4 | 0.00 | Apr 9, 2024 | The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Path Widget in all versions up to, and including, 3.20.2 due to insufficient output escaping on user supplied attributes. This makes… | ||
| CVE-2024-2781 | Med | 0.42 | 6.4 | 0.00 | Mar 27, 2024 | The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the video_html_tag attribute in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated… | ||
| CVE-2024-1521 | Med | 0.42 | 6.4 | 0.00 | Mar 27, 2024 | The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an SVGZ file uploaded via the Form widget in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping. This makes it possible for… | ||
| CVE-2024-1364 | Med | 0.42 | 6.4 | 0.00 | Mar 27, 2024 | The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget's custom_id in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible… | ||
| CVE-2020-36703 | Med | 0.42 | 6.4 | 0.00 | Jun 7, 2023 | The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG image uploads in versions up to, and including 2.9.7 This makes it possible for authenticated attackers with the upload_files capability to inject arbitrary web scripts in… | ||
| CVE-2021-24891 | Med | 0.42 | 6.1 | 0.24 | Nov 23, 2021 | The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue. | ||
| CVE-2020-36171 | Med | 0.40 | 6.1 | 0.01 | Jan 6, 2021 | The Elementor Website Builder plugin before 3.0.14 for WordPress does not properly restrict SVG uploads. | ||
| CVE-2024-37437 | Med | 0.36 | 5.5 | 0.00 | Jul 9, 2024 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Elementor Website Builder elementor.This issue affects Elementor Website Builder: from n/a through <= 3.22.1. |
- risk 0.68cvss 8.8epss 0.93
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to…
- risk 0.65cvss 9.9epss 0.04
Unrestricted Upload of File with Dangerous Type vulnerability in Elementor.Com Elementor Website Builder.This issue affects Elementor Website Builder: from 3.3.0 through 3.18.1.
- risk 0.55cvss 8.5epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Elementor Elementor Website Builder allows Manipulating Web Input to File System Calls.This issue affects Elementor Website Builder: from n/a through 3.19.0.
- risk 0.48cvss 7.2epss 0.20
The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role.
- risk 0.42cvss 6.4epss 0.00
The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'elementor-element' shortcode in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output…
- risk 0.42cvss 6.4epss 0.00
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_text’ parameter in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping. This makes it possible for…
- risk 0.42cvss 6.5epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Elementor Website Builder elementor allows Stored XSS.This issue affects Elementor Website Builder: from n/a through <= 3.25.10.
- risk 0.42cvss 6.4epss 0.00
The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the border, margin and gap parameters in all versions up to, and including, 3.27.4 due to insufficient input sanitization and output escaping.…
- risk 0.42cvss 6.4epss 0.00
The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typography Settings in all versions up to, and including, 3.25.9 due to insufficient input sanitization and output escaping on user…
- risk 0.42cvss 6.4epss 0.00
The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter of the Icon widget in all versions up to, and including, 3.25.7 due to insufficient input sanitization and output…
- risk 0.42cvss 6.4epss 0.00
The Elementor Website Builder – More than Just a Page Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in versions up to, and including, 3.21.0 due to insufficient input sanitization and output escaping. This makes it…
- risk 0.42cvss 6.5epss 0.01
Improper Authentication vulnerability in Elementor Elementor Website Builder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Elementor Website Builder: from n/a through 3.16.4.
- risk 0.42cvss 6.4epss 0.00
The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Path Widget in all versions up to, and including, 3.20.2 due to insufficient output escaping on user supplied attributes. This makes…
- risk 0.42cvss 6.4epss 0.00
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the video_html_tag attribute in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated…
- risk 0.42cvss 6.4epss 0.00
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an SVGZ file uploaded via the Form widget in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping. This makes it possible for…
- risk 0.42cvss 6.4epss 0.00
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget's custom_id in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible…
- risk 0.42cvss 6.4epss 0.00
The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG image uploads in versions up to, and including 2.9.7 This makes it possible for authenticated attackers with the upload_files capability to inject arbitrary web scripts in…
- risk 0.42cvss 6.1epss 0.24
The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue.
- risk 0.40cvss 6.1epss 0.01
The Elementor Website Builder plugin before 3.0.14 for WordPress does not properly restrict SVG uploads.
- risk 0.36cvss 5.5epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Elementor Website Builder elementor.This issue affects Elementor Website Builder: from n/a through <= 3.22.1.
Page 1 of 2