← back to popular plugins
wordfence / plugin · elementor

Elementor Website Builder – more than just a page builder

elementor
total installs
10,000,000
total vulns
10
critical
0
high
0
medium
10
low
0
latest vuln
patched
10
unpatched
0
avg time to patch
vulnerabilities (10)
Elementor Website Builder <= 4.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API
medium ✓ patched
cve id CVE-2026-6127 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Apr 30, 2026
The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _elementor_data meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the _elementor_data meta field with show_in_rest but omits a sanitize_callback, relying instead on a rest_pre_insert_post filter (sanitize_post_data function) that only sanitizes JSON-encoded request bodies. When a contributor sends a form-encoded PATCH request to the WordPress REST API, the json_decode() call on the raw body returns null, causing all sanitization to be skipped. The unsanitized data is then stored via update_post_meta() and later output without escaping through multiple widget sinks including the HTML widget's print_unescaped_setting() function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Elementor Website Builder <= 3.35.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API
medium ✓ patched
cve id CVE-2025-14732 ↗
cvss score 6.4
cwe CWE-87: Improper Neutralization of Alternate XSS Syntax
published Apr 7, 2026
The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in all versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Elementor Website Builder <= 3.35.7 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template
medium ✓ patched
cve id CVE-2026-1206 ↗
cvss score 4.3
cwe CWE-639: Authorization Bypass Through User-Controlled Key
published Mar 25, 2026
The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates as readable without verifying edit capabilities. This makes it possible for authenticated attackers, with contributor-level access and above, to read private or draft Elementor template content via the 'template_id' supplied to the 'get_template_data' action of the 'elementor_ajax' endpoint.
Elementor Website Builder <= 3.35.5 - Missing Authorization
medium ✓ patched
cve id CVE-2026-32445 ↗
cvss score 4.3
cwe CWE-862: Missing Authorization
published Mar 7, 2026
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.35.5. This makes it possible for authenticated attackers, with author-level access and above, to perform an unauthorized action.
Elementor Website Builder <= 3.35.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2026-32352 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Feb 13, 2026
The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Elementor <= 3.33.3 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Text Path
medium ✓ patched
cve id CVE-2025-11220 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Dec 15, 2025
The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Text Path widget in all versions up to, and including, 3.33.3 due to insufficient neutralization of user-supplied input used to build SVG markup inside the widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Elementor Website Builder <= 3.33.0 - Missing Authorization
medium ✓ patched
cve id CVE-2025-67588 ↗
cvss score 4.3
cwe CWE-862: Missing Authorization
published Nov 25, 2025
The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.33.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.
Elementor <= 3.30.2 - Authenticated (Administrator+) Arbitrary File Read via Image Import
medium ✓ patched
cve id CVE-2025-8081 ↗
cvss score 4.9
cwe CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
published Aug 11, 2025
The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Elementor <= 3.30.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Text Path Widget
medium ✓ patched
cve id CVE-2025-4566 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Jul 28, 2025
The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-text DOM element attribute in Text Path widget in all versions up to, and including, 3.30.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This attack affects only Chrome/Edge browsers
Elementor <= 3.29.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-3075 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Jul 28, 2025
The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'elementor-element' shortcode in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts sites with 'Element Caching' enabled.