Elementor Website Builder
by WordPress
Source repositories
CVEs (39)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-4953 | Med | 0.36 | 6.1 | 0.02 | Aug 14, 2023 | The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs. | ||
| CVE-2025-4566 | Med | 0.35 | 6.4 | 0.00 | Jul 29, 2025 | The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-text DOM element attribute in Text Path widget in all versions up to, and including, 3.30.2 due to insufficient input sanitization and… | ||
| CVE-2024-4619 | Med | 0.35 | 6.4 | 0.00 | May 21, 2024 | The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘hover_animation’ parameter in versions up to, and including, 3.21.5 due to insufficient input sanitization and output… | ||
| CVE-2024-2121 | Med | 0.35 | 5.4 | 0.00 | Mar 27, 2024 | The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Media Carousel widget in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping on user supplied attributes. This… | ||
| CVE-2024-2120 | Med | 0.35 | 5.4 | 0.00 | Mar 27, 2024 | The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post Navigation widget in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping on user supplied attributes. This… | ||
| CVE-2024-0506 | Med | 0.35 | 6.4 | 0.00 | Feb 29, 2024 | The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $instance[alt] parameter in the get_image_alt function in all versions up to, and including, 3.18.3 due to insufficient input sanitization… | ||
| CVE-2021-24206 | Med | 0.35 | 5.4 | 0.01 | Apr 5, 2021 | In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above… | ||
| CVE-2021-24205 | Med | 0.35 | 5.4 | 0.01 | Apr 5, 2021 | In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above… | ||
| CVE-2021-24204 | Med | 0.35 | 5.4 | 0.01 | Apr 5, 2021 | In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) accepts a ‘title_html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or… | ||
| CVE-2021-24203 | Med | 0.35 | 5.4 | 0.01 | Apr 5, 2021 | In the Elementor Website Builder WordPress plugin before 3.1.4, the divider widget (includes/widgets/divider.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above… | ||
| CVE-2021-24202 | Med | 0.35 | 5.4 | 0.01 | Apr 5, 2021 | In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a ‘header_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above… | ||
| CVE-2021-24201 | Med | 0.35 | 5.4 | 0.01 | Apr 5, 2021 | In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above… | ||
| CVE-2022-29455 | Med | 0.32 | 4.7 | 0.23 | Jun 13, 2022 | DOM-based Reflected Cross-Site Scripting (XSS) vulnerability in Elementor's Elementor Website Builder plugin <= 3.5.5 versions. | ||
| CVE-2026-49782 | Med | 0.28 | 5.4 | 0.00 | Jun 2, 2026 | Missing Authorization vulnerability in Elementor Elementor Website Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Elementor Website Builder: from n/a through 4.1.0. | ||
| CVE-2025-67588 | Med | 0.28 | 4.3 | 0.00 | Dec 9, 2025 | Missing Authorization vulnerability in Elementor Elementor Website Builder elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Website Builder: from n/a through <= 3.33.0. | ||
| CVE-2024-8494 | Med | 0.28 | 4.3 | 0.00 | Jan 30, 2025 | The Elementor Website Builder Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.25.10 via the 'elementor-template' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and… | ||
| CVE-2024-6757 | Med | 0.28 | 4.3 | 0.00 | Oct 15, 2024 | The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Basic Information Exposure in all versions up to, and including, 3.23.5 via the get_image_alt function. This makes it possible for authenticated attackers, with… | ||
| CVE-2024-5416 | Med | 0.28 | 5.4 | 0.00 | Sep 11, 2024 | The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter of multiple widgets in all versions up to, and including, 3.23.4 due to insufficient input sanitization and output escaping on… | ||
| CVE-2023-33922 | Med | 0.28 | 4.3 | 0.00 | Jun 11, 2024 | Missing Authorization vulnerability in Elementor Elementor Website Builder.This issue affects Elementor Website Builder: from n/a through 3.13.2. |
- risk 0.36cvss 6.1epss 0.02
The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.
- risk 0.35cvss 6.4epss 0.00
The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-text DOM element attribute in Text Path widget in all versions up to, and including, 3.30.2 due to insufficient input sanitization and…
- risk 0.35cvss 6.4epss 0.00
The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘hover_animation’ parameter in versions up to, and including, 3.21.5 due to insufficient input sanitization and output…
- risk 0.35cvss 5.4epss 0.00
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Media Carousel widget in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping on user supplied attributes. This…
- risk 0.35cvss 5.4epss 0.00
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post Navigation widget in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping on user supplied attributes. This…
- risk 0.35cvss 6.4epss 0.00
The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $instance[alt] parameter in the get_image_alt function in all versions up to, and including, 3.18.3 due to insufficient input sanitization…
- risk 0.35cvss 5.4epss 0.01
In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above…
- risk 0.35cvss 5.4epss 0.01
In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above…
- risk 0.35cvss 5.4epss 0.01
In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) accepts a ‘title_html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or…
- risk 0.35cvss 5.4epss 0.01
In the Elementor Website Builder WordPress plugin before 3.1.4, the divider widget (includes/widgets/divider.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above…
- risk 0.35cvss 5.4epss 0.01
In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a ‘header_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above…
- risk 0.35cvss 5.4epss 0.01
In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above…
- risk 0.32cvss 4.7epss 0.23
DOM-based Reflected Cross-Site Scripting (XSS) vulnerability in Elementor's Elementor Website Builder plugin <= 3.5.5 versions.
- risk 0.28cvss 5.4epss 0.00
Missing Authorization vulnerability in Elementor Elementor Website Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Elementor Website Builder: from n/a through 4.1.0.
- risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in Elementor Elementor Website Builder elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Website Builder: from n/a through <= 3.33.0.
- risk 0.28cvss 4.3epss 0.00
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.25.10 via the 'elementor-template' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and…
- risk 0.28cvss 4.3epss 0.00
The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Basic Information Exposure in all versions up to, and including, 3.23.5 via the get_image_alt function. This makes it possible for authenticated attackers, with…
- risk 0.28cvss 5.4epss 0.00
The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter of multiple widgets in all versions up to, and including, 3.23.4 due to insufficient input sanitization and output escaping on…
- risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in Elementor Elementor Website Builder.This issue affects Elementor Website Builder: from n/a through 3.13.2.
Page 2 of 2