Elementor
Monthly
Unauthenticated reflected/stored cross-site scripting in Royal Elementor Addons Pro WordPress plugin versions prior to 1.7.1041 allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. No public exploit identified at time of analysis, but the unauthenticated nature combined with the popularity of Elementor-ecosystem plugins makes this a credible threat to WordPress sites running the Pro variant. Patchstack disclosure indicates a fixed version is available.
Authentication bypass in the PowerPack Pro for Elementor WordPress plugin (versions prior to 2.13.0) allows remote attackers to subvert authentication controls and gain unauthorized access with high impact to confidentiality, integrity, and availability. The flaw, reported by Patchstack and tracked as CVE-2026-42629, is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and requires user interaction per the CVSS vector. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Arbitrary file upload in the Unlimited Elements for Elementor (Premium) WordPress plugin versions 2.0.6 and earlier allows authenticated users with Contributor-level privileges to upload arbitrary files, leading to remote code execution on the underlying WordPress host. Reported by Patchstack and rated CVSS 9.9 with a scope-changing impact, no public exploit identified at time of analysis but the low privilege bar makes this a high-priority issue for any site that permits Contributor accounts.
Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions <= 1.1.8) allows remote attackers to deserialize attacker-controlled data, potentially leading to remote code execution when a suitable POP (property-oriented programming) gadget chain exists in the WordPress environment. The flaw is reachable without authentication and carries a CVSS 9.8 rating, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. The plugin is distributed by CRM Perks and was disclosed via Patchstack.
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms' (versions <= 1.4.3) allows remote attackers to pass attacker-controlled serialized data into PHP's unserialize() function. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and no authentication required, successful exploitation can lead to arbitrary code execution, data theft, or full site takeover when a suitable POP gadget chain is present. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated PHP Object Injection in the CRM Perks 'WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms' WordPress plugin (versions 1.1.4 and earlier) allows remote attackers to inject crafted serialized PHP objects into the application, potentially leading to remote code execution, data theft, or site takeover when a suitable POP gadget chain is present. The flaw is reported by Patchstack and carries a 9.8 CVSS score with network-reachable, no-privilege, no-interaction characteristics. No public exploit identified at time of analysis.
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms' (versions 1.2.1 and earlier) allows remote attackers to inject crafted serialized objects that can be deserialized by the plugin, potentially leading to full site compromise. No public exploit identified at time of analysis, but the CVSS 9.8 score and unauthenticated network attack vector make this a high priority for any WordPress site running the affected plugin. EPSS and CISA KEV data were not provided in the input, so real-world exploitation prevalence is undetermined.
Unauthenticated PHP object injection in the WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms WordPress plugin (versions <= 1.1.4) allows remote attackers to deliver crafted serialized payloads that the plugin deserializes without validation. Successful exploitation can lead to remote code execution, data tampering, or full site compromise when a suitable POP (property-oriented programming) gadget chain is available in WordPress core, the active theme, or any installed plugin. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stored Cross-Site Scripting in the King Addons for Elementor WordPress plugin (versions up to and including 51.1.62) allows authenticated subscribers to inject and persist malicious JavaScript payloads within plugin-rendered content. The scope-changed CVSS vector (S:C) reflects that injected scripts execute in the browsers of other site users - including administrators - enabling session hijacking and privilege escalation via social engineering. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the moderate-priority tier despite the network-reachable attack surface.
Reflected/stored cross-site scripting in the Product Filter Widget for Elementor WordPress plugin (versions <= 1.0.6) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after user interaction. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 with scope change due to script execution in the browser context; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unauthenticated Broken Access Control in the Essential Addons for Elementor WordPress plugin (all versions prior to 6.6.0) allows remote unauthenticated attackers to perform restricted actions without proper authorization. The root cause is a missing authorization check (CWE-862), permitting requests that should be gated behind authentication or capability checks to succeed. No public exploit code or active exploitation has been identified at time of analysis; however, the unauthenticated network-accessible nature (PR:N, AV:N) lowers the barrier to abuse significantly.
Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions 1.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, enabling abuse of POP gadget chains for code execution, file operations, or data tampering. The flaw scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and impacts any WordPress site running the affected CRM Perks integration plugin. There is no public exploit identified at time of analysis, but the unauthenticated nature and prevalence of WordPress as a target make this a high-priority patching item.
Stored Cross-Site Scripting in Prime Elementor Addons for WordPress (all versions through 1.3.3) allows authenticated attackers with contributor-level access to persist malicious scripts in widget HTML Tag settings that execute in any visitor's browser on page load. The vulnerability is notable for a specific filter bypass: payloads crafted without HTML angle brackets (e.g., 'img src=x onerror=alert(document.domain)') pass unmodified through Elementor's wp_kses_post() sanitization at save time, meaning even users lacking the unfiltered_html capability can inject effective XSS. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Reflected Cross-Site Scripting in the Product Filter Widget for Elementor WordPress plugin (versions up to and including 1.0.6) enables unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session. The vulnerability stems from unsanitized output of the 'args[filterFormArray]' parameter in a publicly accessible AJAX endpoint registered via wp_ajax_nopriv_ with no nonce verification or capability check, meaning any unauthenticated request to admin-ajax.php can carry the payload. Exploitation is delivered via a CSRF-style auto-submitting form, requiring the attacker to social-engineer a victim into visiting an attacker-controlled page; no public exploit code or CISA KEV listing has been identified at time of analysis.
Information exposure in Essential Addons for Elementor (all versions ≤ 6.6.4) allows unauthenticated remote attackers to extract content from password-protected, private, and draft WordPress posts via the plugin's ajax_load_more AJAX endpoint. The root cause (CWE-639) is that user-controlled query parameters are accepted without enforcing WordPress native post-visibility access controls, bypassing the platform's built-in confidentiality model. No public exploit code has been identified at time of analysis, but the zero-authentication, zero-complexity attack surface on one of the most widely deployed Elementor add-ons makes this a realistic target for automated scanning campaigns.
Stored cross-site scripting in the Integration for Freshsales WordPress plugin (versions up to and including 1.0.15) allows unauthenticated attackers to inject arbitrary JavaScript via form submission data that executes when an administrator views the failed-CRM-call error log modal in wp-admin. The flaw, reported by Wordfence and tracked as CWE-79, carries CVSS 7.2 due to scope change (S:C) since the payload escapes from the form-submission context into the privileged admin panel, though no public exploit identified at time of analysis.
Stored Cross-Site Scripting in the Master Addons for Elementor WordPress plugin (versions up to and including 3.1.0) allows authenticated attackers with author-level access to inject persistent JavaScript into pages by exploiting a broken authorization boundary in the Custom JS Extension. The flaw arises because the unfiltered_html capability check is enforced only during UI rendering (Elementor control registration) and entirely absent from the save handler, permitting a crafted POST to admin-ajax.php?action=elementor_ajax to store arbitrary scripts that execute in every subsequent visitor's browser. No public exploit or CISA KEV listing has been identified at time of analysis, though the Wordfence disclosure and direct source-code references confirm the issue is well-documented.
Stored Cross-Site Scripting in The Plus Addons for Elementor WordPress plugin (versions up to and including 6.4.15) allows authenticated contributor-level attackers to persistently inject malicious scripts via the carousel_direction parameter of the Carousel Anything widget. The root cause is an unquoted HTML attribute context in the render() function where esc_attr() is applied but insufficient - attribute injection is still possible by appending space-separated event handlers to the bare dir= attribute. Injected payloads persist in the database and execute in any visiting user's browser, including administrators, enabling session hijacking or privilege escalation; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Blind SQL injection in the Unlimited Elements For Elementor WordPress plugin (versions up to and including 2.0.8) allows authenticated low-privilege attackers to inject arbitrary SQL into backend database queries. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 8.5 due to scope change and high confidentiality impact, though no public exploit identified at time of analysis and EPSS probability remains low at 0.03%. The scope change (S:C) indicates the injection crosses a trust boundary, amplifying impact beyond the vulnerable component.
Unauthenticated privilege escalation in the Easy Elements for Elementor WordPress plugin through version 1.4.5 allows remote attackers to register administrator accounts by abusing an unchecked custom_meta parameter in the eel_register AJAX handler. The flaw lets attackers overwrite the wp_capabilities user meta after wp_insert_user() has assigned a safe role, granting full site takeover. No public exploit identified at time of analysis, and the CVSS vector's PR:L appears inconsistent with the description's explicit unauthenticated abuse path.
Missing authorization in PDF for Elementor Forms + Drag And Drop Template Builder (WordPress plugin by ADD-ONS.ORG) allows an authenticated low-privilege user to exploit incorrectly configured access control security levels, resulting in unauthorized integrity modifications with changed scope. All plugin versions through 5.5.1 are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, placing this in a monitor-and-patch priority tier rather than emergency response.
Unauthorized template creation in the Xpro Addons for Elementor WordPress plugin exposes sites to unauthenticated content injection via a missing capability check on the get_content_editor AJAX function. All plugin versions through 1.5.0 are affected, allowing any remote attacker without credentials to create and publish Xpro templates on targeted WordPress sites. No public exploit identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote exploitability against default installations with no preconditions.
Privilege escalation in the Easy Elements for Elementor WordPress plugin (versions up to and including 1.4.4) allows unauthenticated remote attackers to register accounts with the 'administrator' role, granting full site takeover. The flaw exists in the 'easyel_handle_register' function which fails to validate or restrict the user role parameter submitted during registration. No public exploit identified at time of analysis, but the trivial nature of the bug and Wordfence's disclosure make weaponization straightforward.
Unauthenticated arbitrary file upload in the Piotnet Addons for Elementor Pro WordPress plugin (versions through 7.1.70) allows remote attackers to upload dangerous file types and potentially achieve remote code execution. The flaw stems from an incomplete extension blacklist in the 'pafe_ajax_form_builder' AJAX handler that fails to block executable wrappers such as .phar and .phtml. No public exploit identified at time of analysis, but the CVSS 9.8 score and unauthenticated network attack vector make this a high-priority issue for any WordPress site running the plugin with a file-upload form field.
Privilege escalation in Essential Addons for Elementor (all versions ≤ 6.5.13) allows authenticated WordPress users with Author-level access or above to create new accounts with elevated roles such as Editor by exploiting the plugin's `register_user` function, which applies an incomplete role denylist that blocks only 'administrator' while leaving other privileged roles unguarded. The network-accessible, low-complexity attack vector (AV:N/AC:L/PR:L) makes this realistic for any site with the plugin's registration widget exposed and populated with low-trust authors. No public exploit has been identified at time of analysis and CISA KEV status is absent, but the plugin's broad WordPress deployment increases aggregate exposure.
SQL Injection in the Unlimited Elements for Elementor WordPress plugin (versions up to and including 2.0.7) allows authenticated attackers holding at least Contributor-level access to extract sensitive database contents by injecting arbitrary SQL into the 'data[filter_search]' parameter of the get_cat_addons AJAX action. The vulnerability is the product of two chained weaknesses: the plugin's normalizeAjaxInputData() function actively undoes WordPress's built-in magic-quote protection via stripslashes(), and the deprecated wpdb->_escape() method then fails to safely handle the exposed input before it is concatenated directly into a LIKE clause. Reported by Wordfence and tracked as EUVD-2026-30214, no public exploit code has been identified at time of analysis and CISA KEV does not list this CVE, though the confidentiality impact is rated High, enabling full database read access for a successful attacker.
Blind SQL injection in Xpro Elementor Addons allows authenticated attackers to extract sensitive database contents including user credentials and site configurations. The vulnerability affects WordPress sites running plugin versions up to 1.5.1 and requires only low-privileged authenticated access (CVSS PR:L) with no user interaction. EPSS data not available, but the low attack complexity (AC:L) combined with changed scope (S:C) indicates potential for cross-boundary impact beyond the vulnerable plugin. No active exploitation confirmed in CISA KEV at time of analysis.
Stored cross-site scripting in Sky Addons plugin for WordPress (versions up to 3.3.2) allows authenticated attackers with Author-level access to inject arbitrary JavaScript via the REST API that persists in the `sky-custom-scripts` post type and executes on all frontend pages for every site visitor. The vulnerability stems from insufficient input sanitization on the `sky_script_content` meta field combined with lack of output escaping during frontend rendering. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires only Author-level privileges and standard REST API access, making it a practical threat in multi-user WordPress environments.
Happy Addons for Elementor through version 3.20.8 exposes sensitive system information to unauthorized users via an information disclosure vulnerability, allowing remote unauthenticated attackers to retrieve embedded sensitive data without authentication or user interaction. The vulnerability affects all installations of the plugin up to and including version 3.20.8, with a CVSS score of 5.3 reflecting the confidentiality impact of exposed system data.
Missing authorization in Royal Elementor Addons before version 1.7.1053 allows unauthenticated remote attackers to read sensitive information via incorrectly configured access control security levels. The vulnerability affects the WordPress plugin and exposes confidential data without requiring user authentication or interaction, impacting all installations below the patched version.
Stored cross-site scripting (XSS) in WProyal Royal Elementor Addons before version 1.7.1053 allows authenticated users with limited privileges to inject malicious scripts into web pages, which execute in the browsers of site visitors. The vulnerability requires user interaction (UI:R in CVSS) and is limited to users with login credentials (PR:L), but once stored, affects all visitors regardless of their privileges. An attacker with contributor or editor access can compromise website visitors, steal session cookies, or perform actions on their behalf.
ElementsKit Elementor Addons plugin for WordPress versions up to 3.8.2 allows unauthenticated attackers to overwrite Elementor widget content via a missing capability check in the Live_Action::reset() function. By crafting a URL with specific GET parameters (post and action=elementor), attackers can permanently replace any elementskit_widget custom post type's design, text, and configurations with a blank template, causing data loss without requiring authentication or user interaction.
Stored Cross-Site Scripting in Royal Addons for Elementor's Instagram Feed widget allows authenticated contributors and above to inject arbitrary JavaScript via the 'instagram_follow_text' setting, which executes in the browsers of all users viewing the affected page. The vulnerability affects all versions up to 1.7.1056 and requires the Instagram Feed widget to be previously configured with a valid access token by an administrator. No public exploit code or active exploitation has been confirmed at this time.
Stored Cross-Site Scripting in Royal Elementor Addons WordPress plugin allows unauthenticated remote attackers to inject malicious scripts that execute in victim browsers. The vulnerability exists in all versions up to 1.7.1056 due to a publicly leaked static nonce that bypasses authentication checks for the wpr_update_form_action_meta AJAX endpoint. Combined with insufficient input sanitization on the 'status' parameter, attackers can inject persistent XSS payloads without authentication. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.
Stored Cross-Site Scripting in Premium Addons for Elementor plugin for WordPress up to version 4.11.70 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript via the 'custom_svg' parameter, which executes in the browsers of users viewing the affected pages. The vulnerability stems from insufficient input sanitization and output escaping on a user-controllable SVG parameter. No public exploit code or active exploitation has been identified at the time of analysis.
Unauthenticated attackers can modify form action metadata on WordPress posts through the Royal Addons for Elementor plugin (versions up to 1.7.1056) due to a missing capability check on the wpr_update_form_action_meta AJAX endpoint. The endpoint registers on both wp_ajax and wp_ajax_nopriv hooks, is accessible without authentication, and relies on a nonce that is publicly exposed in frontend JavaScript, allowing attackers to bypass the nonce protection and alter email, Mailchimp, and webhook settings on any post. This enables attackers to hijack form submissions, exfiltrate data via modified webhook URLs, or redirect emails to attacker-controlled addresses without any user interaction or special configuration required.
Server-Side Request Forgery (SSRF) in Royal Elementor Addons plugin for WordPress allows authenticated attackers with Contributor-level permissions to bypass URL validation by including 'docs.google.com/spreadsheets' in query parameters, enabling requests to arbitrary internal URLs and retrieval of sensitive data from private network services. Affects versions up to 1.7.1057. The CVSS vector indicates network-based attack with no authentication required (PR:N), contradicting the description's statement of Contributor-level requirement-affected site operators should verify actual privilege requirements with vendor advisory. No active exploitation confirmed (not in CISA KEV), but detailed source code references enable rapid POC development.
Stored cross-site scripting in Jeg Kit for Elementor WordPress plugin versions up to 3.1.0 allows authenticated contributors and above to inject arbitrary JavaScript via the 'sg_content_number_prefix' parameter, which executes when any user accesses the affected page. The vulnerability stems from insufficient input sanitization and output escaping in the Fun Fact widget element, affecting any WordPress site using this popular page builder addon. CVSS score of 6.4 reflects the network attack vector and broad scope, though exploitation requires valid contributor-level credentials.
Stored cross-site scripting in Elementor Website Builder plugin for WordPress up to version 4.0.4 allows authenticated contributors to inject arbitrary JavaScript via form-encoded REST API requests to the _elementor_data meta field. The vulnerability bypasses sanitization by exploiting a json_decode() failure on non-JSON request bodies, causing unsanitized data to be stored and later output without escaping in widget rendering functions. Contributors and above can inject malicious scripts that execute for all users viewing affected pages, compromising site integrity and user sessions.
DOM-based cross-site scripting (XSS) in CodexThemes TheGem Theme Elements plugin for Elementor allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers when user interaction occurs. The vulnerability affects versions before 5.12.1.1 and requires authenticated access and user interaction to exploit, limiting real-world risk compared to network-vector XSS but still enabling session hijacking, credential theft, or unauthorized admin actions on WordPress sites using this plugin.
Stored cross-site scripting in Royal Elementor Addons plugin for WordPress up to version 1.7.1056 allows authenticated attackers with Author-level access to inject arbitrary JavaScript via image alt attributes in the Image Grid/Slider/Carousel widget. The vulnerability results from insufficient output escaping in the render_post_thumbnail() function, where wp_kses_post() is used instead of esc_attr() for HTML attribute context. Malicious scripts execute in the browsers of any user viewing pages containing the compromised image widget, potentially enabling session hijacking, credential theft, or plugin/theme manipulation.
BetterDocs plugin for WordPress versions up to 4.3.11 allows authenticated subscribers and higher to trigger arbitrary OpenAI API calls using the site's configured API key due to missing capability checks in the generate_openai_content_callback() function. An attacker with subscriber-level access can supply arbitrary prompts to exhaust the site owner's paid AI API quota without authorization, resulting in unauthorized financial impact and service degradation. No public exploit code or active exploitation has been identified at time of analysis.
The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days
Stored XSS in Flipbox Addon for Elementor WordPress plugin (versions ≤2.1.1) allows authenticated authors to inject malicious scripts via the button URL custom_attributes field due to insufficient validation of attribute names. The vulnerability uses esc_html() on attribute names, which fails to block event handler attributes like onmouseover and onclick, enabling arbitrary JavaScript execution in pages viewed by any user. CVSS 6.4 reflects the requirement for authenticated author-level access, but the stored nature and cross-site scope increase practical risk. Patch available in version 2.1.2.
Path traversal in Unlimited Elements for Elementor (WordPress plugin ≤2.0.6) enables authenticated attackers with Author-level privileges to read arbitrary files from the web server via crafted URLs in the Repeater JSON/CSV URL parameter. The vulnerability chains multiple sanitization failures in URLtoRelative(), urlToPath(), and cleanPath() functions, allowing traversal sequences like ../../../../etc/passwd to bypass domain-stripping logic and access sensitive files including wp-config.php. CVSS 7.5 indicates high confidentiality impact. EPSS and KEV data not provided; no public exploit confirmed at time of analysis. Wordfence reports the issue with detailed code references to vulnerable functions in versions through 2.0.6.
Stored Cross-Site Scripting in Royal Addons for Elementor plugin versions up to 1.7.1056 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the Instagram Feed widget's 'instagram_follow_text' setting, executing malicious scripts whenever users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the widget configuration handler. CVSS 6.4 reflects the moderate severity (network-accessible, no user interaction required from victims, but limited scope to stored XSS with low confidentiality and integrity impact). No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting in BetterDocs WordPress plugin versions up to 4.3.8 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript into pages via the 'betterdocs_feedback_form' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users who view affected pages, enabling account compromise, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at this time.
Livemesh Addons for Elementor plugin versions up to 9.0 allow authenticated attackers with Subscriber-level access to inject arbitrary JavaScript via the plugin settings page through missing authorization checks on the AJAX handler lae_admin_ajax() and insufficient output escaping on checkbox fields. The injected scripts execute whenever an administrator accesses the settings page if the attacker obtains a valid nonce, which can be leaked due to improper access control on settings pages. This combination of authorization bypass and stored XSS affects all WordPress installations running the vulnerable plugin.
Local file inclusion in Livemesh Addons for Elementor (WordPress plugin) ≤9.0 allows authenticated attackers with Contributor-level privileges to include and execute arbitrary PHP files via recursive directory traversal bypass in widget template parameters. The vulnerability requires Elementor plugin installation and either admin interaction (social engineering) or direct Contributor access. CVSS 8.8 reflects high impact (RCE potential) but limited by authentication requirement. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists (Wordfence disclosure with technical details and code references).
Missing Authorization vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1056.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection.This issue affects Element Pack Elementor Addons: from n/a through <= 8.4.2.
Missing authorization bypass in Vertex Addons for Elementor (WordPress plugin, all versions ≤1.6.4) allows authenticated attackers with Subscriber-level privileges to install and activate arbitrary WordPress plugins. The activate_required_plugins() function checks current_user_can('install_plugins') capability but fails to halt execution on denial, permitting installation/activation to proceed before error response is sent. CVSS 8.8 (High) reflects authenticated (PR:L) network attack enabling high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.
Stored cross-site scripting (XSS) in WPBITS Addons For Elementor Page Builder versions up to 1.8.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability stems from improper input sanitization during web page generation, enabling an attacker to persistently compromise site content and steal session tokens or perform administrative actions on behalf of legitimate users. EPSS exploitation probability is very low at 0.03%, indicating limited real-world attack likelihood despite moderate CVSS severity.
DOM-based cross-site scripting (XSS) in Wealcoder Animation Addons for Elementor through version 2.6.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with the click of a link. The vulnerability stems from improper input neutralization during web page generation and affects all versions of the plugin up to and including 2.6.1. With an EPSS score of 0.03% and no confirmed active exploitation, this represents a lower-priority vulnerability despite the authenticated attack requirement.
Stored cross-site scripting (XSS) in Livemesh Addons for Elementor through version 9.0 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of administrators and other site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling attackers to persistently compromise site functionality and steal administrative credentials or session tokens. CVSS 6.5 reflects moderate severity; EPSS 0.03% indicates very low real-world exploitation probability, suggesting this requires specific user interaction and authenticated access to exploit effectively.
Stored Cross-Site Scripting (XSS) in Themesflat Addons for Elementor up to version 2.3.2 allows authenticated users with low privileges to inject malicious scripts that execute in the context of site visitors' browsers. An attacker with contributor-level access or higher can craft input fields within the plugin's admin interface to persistently store JavaScript code, which then executes whenever other users (including administrators) view the affected content. The vulnerability has low real-world exploitation risk (EPSS 0.03%, percentile 8%) despite its CVSS 6.5 rating, as it requires authenticated user interaction and user-initiated viewing of affected pages.
Stored cross-site scripting in Element Pack Addons for Elementor plugin versions up to 8.4.2 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via malicious SVG files through the SVG Image Widget. The vulnerability exists in the render_svg() function, which fetches remote SVG content and echoes it directly to pages without proper sanitization, enabling persistent XSS attacks affecting all users who view pages containing the compromised widget. No public exploit code or active exploitation has been identified at the time of analysis.
Stored Cross-Site Scripting in The Plus Addons for Elementor plugin for WordPress (all versions up to 6.4.9) allows authenticated attackers with contributor-level access and above to inject arbitrary JavaScript into pages via the Progress Bar shortcode due to insufficient input sanitization and output escaping. When other users access affected pages, the injected scripts execute in their browsers, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting in Prime Slider - Addons for Elementor plugin allows authenticated users with Author-level access to inject arbitrary JavaScript through the 'follow_us_text' setting in the Mount widget. The vulnerability exists in all versions up to 4.1.10 due to missing output escaping in the render_social_link() function, enabling attackers to execute malicious scripts whenever pages containing the injected widget are viewed. No public exploit code or active exploitation has been confirmed at this time.
Stored Cross-Site Scripting in Elementor Website Builder plugin for WordPress allows authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript into page content via insufficiently sanitized widget parameters. The injected scripts execute in the browsers of all users accessing affected pages, potentially enabling account hijacking, malware distribution, or defacement. CVSS 6.4 reflects the requirement for authenticated access but the broad scope of impact across all site visitors.
Stored Cross-Site Scripting in Xpro Addons - 140+ Widgets for Elementor plugin up to version 1.4.20 allows authenticated contributors and above to inject malicious scripts via the Pricing Widget's 'onClick Event' setting, which execute in the browsers of any user viewing the affected pages. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent XSS attacks that compromise site integrity and user sessions. No active exploitation has been confirmed, but the low attack complexity and contributor-level access requirement present a moderate real-world risk for WordPress sites with contributor user bases.
Stored Cross-Site Scripting in ElementsKit Elementor Addons and Templates plugin (versions up to 3.7.9) allows authenticated contributors and above to inject malicious scripts via the 'ekit_tab_title' parameter in the Simple Tab widget due to insufficient input sanitization and output escaping. Injected scripts execute when users access affected pages. No public exploit code or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting (XSS) in Royal Addons for Elementor plugin allows authenticated contributors and above to inject arbitrary JavaScript via the 'button_text' parameter, affecting all versions through 1.7.1049. The vulnerability stems from insufficient input sanitization and output escaping, enabling attackers to execute malicious scripts in the context of any user visiting an affected page. No public exploit code or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting (XSS) in Xpro Addons - 140+ Widgets for Elementor plugin for WordPress up to version 1.4.24 allows authenticated contributors and above to inject malicious scripts via the Icon Box widget that execute for all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping, making it a direct code injection risk in a widely-used page builder extension. CVSS 6.4 reflects moderate severity with limited direct impact (confidentiality and integrity) but cross-site scope; no public exploit code or active exploitation has been identified at time of analysis.
King Addons for Elementor plugin versions up to 51.1.38 contain multiple DOM-Based Stored Cross-Site Scripting vulnerabilities affecting authenticated Contributor+ users. The plugin improperly escapes user input in JavaScript inline event handlers and uses unsafe DOM manipulation methods in widget settings, allowing attackers with Contributor-level access to inject arbitrary JavaScript that executes when pages are accessed or previewed in the Elementor editor. A partial patch was released in version 5.1.51, though the version numbering discrepancy suggests incomplete remediation across all vulnerable code paths.
Authenticated attackers with Contributor-level access or above can extract all form submissions from the Database for Contact Form 7, WPforms, Elementor Forms WordPress plugin (versions up to 1.4.9) via a missing capability check in the entries_shortcode() function, exposing names, emails, phone numbers, and other sensitive form data. The vulnerability requires existing WordPress user credentials but no administrative privileges, making it accessible to low-privileged users who may be granted contributor roles during normal site operations. No public exploit code or active exploitation has been confirmed at the time of analysis.
The Elementor Website Builder plugin for WordPress contains an authorization bypass vulnerability in the is_allowed_to_read_template() function that incorrectly permits authenticated users with contributor-level privileges to read private and draft template content. Attackers can exploit this through the 'get_template_data' action of the 'elementor_ajax' endpoint by supplying a 'template_id' parameter, resulting in exposure of sensitive template information. The vulnerability affects all versions up to and including 3.35.7 with a CVSS score of 4.3 (low-to-moderate severity) and requires low-complexity exploitation with authenticated access.
A Stored Cross-Site Scripting (XSS) vulnerability exists in ThemeHunk's Contact Form & Lead Form Elementor Builder plugin for WordPress, affecting all versions through 2.0.1. An attacker can inject malicious scripts into form fields that are stored in the database and executed in the browsers of administrators or other users who view the submitted data, potentially leading to account takeover, data theft, or malware distribution. No CVSS score or EPSS data is currently available, and active exploitation status is unknown; however, the vulnerability is confirmed by Patchstack and tracked under ENISA EUVD-2026-15903.
WP Insightly plugin versions 1.1.5 and earlier for Contact Form 7, WPForms, Elementor, Formidable, and Ninja Forms contain an authorization bypass that allows unauthenticated attackers to modify data through misconfigured access controls. An attacker can exploit this vulnerability to perform unauthorized actions on forms and contacts without proper permissions. No patch is currently available.
The CRM Perks Integration plugin for Mailchimp (versions through 1.2.2) contains a missing authorization flaw that allows authenticated attackers to modify data through incorrectly configured access controls. An attacker with user-level permissions could bypass authorization checks to alter form submissions and contact information across integrated platforms including Contact Form 7, WPForms, Elementor, and Ninja Forms. No patch is currently available for this vulnerability.
Vertex Addons for Elementor through version 1.6.4 contains an authorization bypass vulnerability that allows authenticated attackers to modify content or settings they should not have access to due to improperly configured access controls. An attacker with low-level user privileges can escalate their capabilities by exploiting the misconfigured security levels. No patch is currently available for this vulnerability.
A blind SQL injection vulnerability exists in ElementInvader Addons for Elementor, a WordPress plugin, affecting all versions through 1.4.2. An attacker can exploit this CWE-89 vulnerability to extract sensitive data from the underlying database without authentication, leveraging the plugin's improper neutralization of special SQL elements. No CVSS score, EPSS metric, or active KEV designation is currently available, but the blind SQL injection vector indicates meaningful exploitability risk requiring immediate patching.
King Addons for Elementor contains an information disclosure vulnerability that exposes sensitive API keys and secrets in HTML source code through the render_full_form function. Unauthenticated attackers can extract Mailchimp, Facebook, and Google API credentials from affected WordPress sites running the plugin up to version 51.1.49 that have the Premium license installed. This vulnerability has a CVSS score of 5.3 with a network attack vector requiring no authentication, making it easily discoverable and exploitable at scale.
The Sina Extension for Elementor plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Fancy Text Widget and Countdown Widget that allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript into pages through insufficiently sanitized DOM attributes. When users visit pages containing the malicious widgets, the injected scripts execute in their browsers, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions on behalf of the victim. The vulnerability affects all versions up to and including 3.7.0, with a CVSS score of 6.4 indicating medium severity, though the impact is amplified by the stored nature of the XSS and the broad audience of WordPress sites using this popular page builder extension.
The PQ Addons - Creative Elementor Widgets plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Section Title widget's html_tag parameter due to insufficient input sanitization and output escaping. All versions up to and including 1.0.0 are affected, allowing authenticated attackers with contributor-level access or above to inject arbitrary JavaScript that executes when users view affected pages. The vulnerability has a CVSS score of 6.4 (Medium) and exploits are possible since the attack requires only low privilege levels and no user interaction beyond page access.
Unauthenticated attackers can extract sensitive data from non-public custom post types in Royal Addons for Elementor WordPress plugin versions up to 1.7.1049 through improper access controls in the get_main_query_args() function. This allows exposure of private content including Contact Form 7 submissions and WooCommerce coupons without authentication. The vulnerability affects WordPress installations using this plugin and remains unpatched.
The Thim Kit for Elementor plugin for WordPress versions up to 1.3.7 allows unauthenticated attackers to access private and draft LearnPress course content through an improperly secured REST API endpoint that accepts arbitrary post status parameters. The vulnerability stems from missing input validation on the 'thim-ekit/archive-course/get-courses' endpoint, enabling information disclosure to any remote attacker without authentication or user interaction. No patch is currently available for this medium-severity flaw affecting WordPress installations using the vulnerable plugin.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows DOM-Based XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.1.3.
Missing Authorization vulnerability in Elementor Elementor Website Builder elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Website Builder: from n/a through <= 3.35.5.
A Stored Cross-Site Scripting (XSS) vulnerability exists in PowerPack Addons for Elementor (powerpack-lite-for-elementor) versions up to 2.9.9, allowing authenticated attackers with limited privileges to inject malicious scripts that persist in the application and execute in other users' browsers. While the CVSS score is moderate (6.5) and EPSS exploitation probability is low (0.03%, percentile 8%), the vulnerability requires user interaction (UI:R) and authenticated access (PR:L), reducing real-world exploitability. No evidence of active exploitation (KEV status) or public proof-of-concept has been identified at this time.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Magical Addons For Elementor, a WordPress plugin for the Elementor page builder, affecting versions up to and including 1.4.1. An authenticated attacker with low privileges can inject malicious JavaScript code that persists in the application and executes in the browsers of other users, potentially leading to session hijacking, credential theft, or defacement. This is a post-authentication vulnerability with user interaction required, making it moderately exploitable in real-world WordPress environments where multiple users collaborate on page design.
The RadiusTheme ShopBuilder plugin for WordPress (versions up to 3.2.4) improperly exposes sensitive system information through its Elementor WooCommerce integration, allowing unauthenticated attackers to retrieve embedded sensitive data. This information disclosure has a low confidentiality impact with no authentication or user interaction required. No patch is currently available for affected installations.
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in Elementor Website Builder through version 3.35.5, allowing authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. An attacker can exploit this via a crafted page or element to steal session cookies, redirect users, or perform actions on their behalf. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), but carries a moderate CVSS score of 6.5 with cross-site impact (S:C), indicating meaningful business risk despite not being unauthenticated.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Retrieve Embedded Sensitive Data.This issue affects Premium Addons for Elementor: from n/a through <= 4.11.53.
Cross-Site Request Forgery in Premium Addons for Elementor plugin versions up to 4.11.53 allows unauthenticated remote attackers to create arbitrary Elementor templates by exploiting missing nonce validation in the 'insert_inner_template' function. An attacker must trick a site administrator or user with edit_posts capability into clicking a malicious link, but no public exploit code has been identified. The EPSS score of 0.02% indicates this vulnerability has very low exploitation probability in practice despite the CVSS 4.3 rating.
Unauthenticated attackers can access private, draft, and pending template content in Premium Addons for Elementor WordPress plugin (versions up to 4.11.53) due to a missing capability check in the 'get_template_content' function. This authentication bypass allows unauthorized disclosure of sensitive template data without requiring user interaction or special privileges. A vendor patch is available, and the vulnerability carries a moderate CVSS score of 5.3 with low technical impact but confirmed accessibility to restricted resources.
Missing Authorization vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Addons for Elementor: from n/a through <= 6.2.4.
The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Widget in all versions up to, and including, 2.7.9.4 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Stored cross-site scripting (XSS) in CyberChimps Responsive Addons for Elementor versions up to 1.7.3 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors, enabling credential theft, malware distribution, or website defacement. The vulnerability requires user interaction and affects WordPress installations using this plugin; exploitation probability is low (EPSS 0.04%) but impact is moderate given the stored nature of the attack.
Unauthenticated reflected/stored cross-site scripting in Royal Elementor Addons Pro WordPress plugin versions prior to 1.7.1041 allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. No public exploit identified at time of analysis, but the unauthenticated nature combined with the popularity of Elementor-ecosystem plugins makes this a credible threat to WordPress sites running the Pro variant. Patchstack disclosure indicates a fixed version is available.
Authentication bypass in the PowerPack Pro for Elementor WordPress plugin (versions prior to 2.13.0) allows remote attackers to subvert authentication controls and gain unauthorized access with high impact to confidentiality, integrity, and availability. The flaw, reported by Patchstack and tracked as CVE-2026-42629, is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and requires user interaction per the CVSS vector. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Arbitrary file upload in the Unlimited Elements for Elementor (Premium) WordPress plugin versions 2.0.6 and earlier allows authenticated users with Contributor-level privileges to upload arbitrary files, leading to remote code execution on the underlying WordPress host. Reported by Patchstack and rated CVSS 9.9 with a scope-changing impact, no public exploit identified at time of analysis but the low privilege bar makes this a high-priority issue for any site that permits Contributor accounts.
Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions <= 1.1.8) allows remote attackers to deserialize attacker-controlled data, potentially leading to remote code execution when a suitable POP (property-oriented programming) gadget chain exists in the WordPress environment. The flaw is reachable without authentication and carries a CVSS 9.8 rating, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. The plugin is distributed by CRM Perks and was disclosed via Patchstack.
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms' (versions <= 1.4.3) allows remote attackers to pass attacker-controlled serialized data into PHP's unserialize() function. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and no authentication required, successful exploitation can lead to arbitrary code execution, data theft, or full site takeover when a suitable POP gadget chain is present. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated PHP Object Injection in the CRM Perks 'WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms' WordPress plugin (versions 1.1.4 and earlier) allows remote attackers to inject crafted serialized PHP objects into the application, potentially leading to remote code execution, data theft, or site takeover when a suitable POP gadget chain is present. The flaw is reported by Patchstack and carries a 9.8 CVSS score with network-reachable, no-privilege, no-interaction characteristics. No public exploit identified at time of analysis.
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms' (versions 1.2.1 and earlier) allows remote attackers to inject crafted serialized objects that can be deserialized by the plugin, potentially leading to full site compromise. No public exploit identified at time of analysis, but the CVSS 9.8 score and unauthenticated network attack vector make this a high priority for any WordPress site running the affected plugin. EPSS and CISA KEV data were not provided in the input, so real-world exploitation prevalence is undetermined.
Unauthenticated PHP object injection in the WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms WordPress plugin (versions <= 1.1.4) allows remote attackers to deliver crafted serialized payloads that the plugin deserializes without validation. Successful exploitation can lead to remote code execution, data tampering, or full site compromise when a suitable POP (property-oriented programming) gadget chain is available in WordPress core, the active theme, or any installed plugin. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stored Cross-Site Scripting in the King Addons for Elementor WordPress plugin (versions up to and including 51.1.62) allows authenticated subscribers to inject and persist malicious JavaScript payloads within plugin-rendered content. The scope-changed CVSS vector (S:C) reflects that injected scripts execute in the browsers of other site users - including administrators - enabling session hijacking and privilege escalation via social engineering. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the moderate-priority tier despite the network-reachable attack surface.
Reflected/stored cross-site scripting in the Product Filter Widget for Elementor WordPress plugin (versions <= 1.0.6) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after user interaction. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 with scope change due to script execution in the browser context; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unauthenticated Broken Access Control in the Essential Addons for Elementor WordPress plugin (all versions prior to 6.6.0) allows remote unauthenticated attackers to perform restricted actions without proper authorization. The root cause is a missing authorization check (CWE-862), permitting requests that should be gated behind authentication or capability checks to succeed. No public exploit code or active exploitation has been identified at time of analysis; however, the unauthenticated network-accessible nature (PR:N, AV:N) lowers the barrier to abuse significantly.
Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions 1.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, enabling abuse of POP gadget chains for code execution, file operations, or data tampering. The flaw scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and impacts any WordPress site running the affected CRM Perks integration plugin. There is no public exploit identified at time of analysis, but the unauthenticated nature and prevalence of WordPress as a target make this a high-priority patching item.
Stored Cross-Site Scripting in Prime Elementor Addons for WordPress (all versions through 1.3.3) allows authenticated attackers with contributor-level access to persist malicious scripts in widget HTML Tag settings that execute in any visitor's browser on page load. The vulnerability is notable for a specific filter bypass: payloads crafted without HTML angle brackets (e.g., 'img src=x onerror=alert(document.domain)') pass unmodified through Elementor's wp_kses_post() sanitization at save time, meaning even users lacking the unfiltered_html capability can inject effective XSS. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Reflected Cross-Site Scripting in the Product Filter Widget for Elementor WordPress plugin (versions up to and including 1.0.6) enables unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session. The vulnerability stems from unsanitized output of the 'args[filterFormArray]' parameter in a publicly accessible AJAX endpoint registered via wp_ajax_nopriv_ with no nonce verification or capability check, meaning any unauthenticated request to admin-ajax.php can carry the payload. Exploitation is delivered via a CSRF-style auto-submitting form, requiring the attacker to social-engineer a victim into visiting an attacker-controlled page; no public exploit code or CISA KEV listing has been identified at time of analysis.
Information exposure in Essential Addons for Elementor (all versions ≤ 6.6.4) allows unauthenticated remote attackers to extract content from password-protected, private, and draft WordPress posts via the plugin's ajax_load_more AJAX endpoint. The root cause (CWE-639) is that user-controlled query parameters are accepted without enforcing WordPress native post-visibility access controls, bypassing the platform's built-in confidentiality model. No public exploit code has been identified at time of analysis, but the zero-authentication, zero-complexity attack surface on one of the most widely deployed Elementor add-ons makes this a realistic target for automated scanning campaigns.
Stored cross-site scripting in the Integration for Freshsales WordPress plugin (versions up to and including 1.0.15) allows unauthenticated attackers to inject arbitrary JavaScript via form submission data that executes when an administrator views the failed-CRM-call error log modal in wp-admin. The flaw, reported by Wordfence and tracked as CWE-79, carries CVSS 7.2 due to scope change (S:C) since the payload escapes from the form-submission context into the privileged admin panel, though no public exploit identified at time of analysis.
Stored Cross-Site Scripting in the Master Addons for Elementor WordPress plugin (versions up to and including 3.1.0) allows authenticated attackers with author-level access to inject persistent JavaScript into pages by exploiting a broken authorization boundary in the Custom JS Extension. The flaw arises because the unfiltered_html capability check is enforced only during UI rendering (Elementor control registration) and entirely absent from the save handler, permitting a crafted POST to admin-ajax.php?action=elementor_ajax to store arbitrary scripts that execute in every subsequent visitor's browser. No public exploit or CISA KEV listing has been identified at time of analysis, though the Wordfence disclosure and direct source-code references confirm the issue is well-documented.
Stored Cross-Site Scripting in The Plus Addons for Elementor WordPress plugin (versions up to and including 6.4.15) allows authenticated contributor-level attackers to persistently inject malicious scripts via the carousel_direction parameter of the Carousel Anything widget. The root cause is an unquoted HTML attribute context in the render() function where esc_attr() is applied but insufficient - attribute injection is still possible by appending space-separated event handlers to the bare dir= attribute. Injected payloads persist in the database and execute in any visiting user's browser, including administrators, enabling session hijacking or privilege escalation; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Blind SQL injection in the Unlimited Elements For Elementor WordPress plugin (versions up to and including 2.0.8) allows authenticated low-privilege attackers to inject arbitrary SQL into backend database queries. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 8.5 due to scope change and high confidentiality impact, though no public exploit identified at time of analysis and EPSS probability remains low at 0.03%. The scope change (S:C) indicates the injection crosses a trust boundary, amplifying impact beyond the vulnerable component.
Unauthenticated privilege escalation in the Easy Elements for Elementor WordPress plugin through version 1.4.5 allows remote attackers to register administrator accounts by abusing an unchecked custom_meta parameter in the eel_register AJAX handler. The flaw lets attackers overwrite the wp_capabilities user meta after wp_insert_user() has assigned a safe role, granting full site takeover. No public exploit identified at time of analysis, and the CVSS vector's PR:L appears inconsistent with the description's explicit unauthenticated abuse path.
Missing authorization in PDF for Elementor Forms + Drag And Drop Template Builder (WordPress plugin by ADD-ONS.ORG) allows an authenticated low-privilege user to exploit incorrectly configured access control security levels, resulting in unauthorized integrity modifications with changed scope. All plugin versions through 5.5.1 are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, placing this in a monitor-and-patch priority tier rather than emergency response.
Unauthorized template creation in the Xpro Addons for Elementor WordPress plugin exposes sites to unauthenticated content injection via a missing capability check on the get_content_editor AJAX function. All plugin versions through 1.5.0 are affected, allowing any remote attacker without credentials to create and publish Xpro templates on targeted WordPress sites. No public exploit identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote exploitability against default installations with no preconditions.
Privilege escalation in the Easy Elements for Elementor WordPress plugin (versions up to and including 1.4.4) allows unauthenticated remote attackers to register accounts with the 'administrator' role, granting full site takeover. The flaw exists in the 'easyel_handle_register' function which fails to validate or restrict the user role parameter submitted during registration. No public exploit identified at time of analysis, but the trivial nature of the bug and Wordfence's disclosure make weaponization straightforward.
Unauthenticated arbitrary file upload in the Piotnet Addons for Elementor Pro WordPress plugin (versions through 7.1.70) allows remote attackers to upload dangerous file types and potentially achieve remote code execution. The flaw stems from an incomplete extension blacklist in the 'pafe_ajax_form_builder' AJAX handler that fails to block executable wrappers such as .phar and .phtml. No public exploit identified at time of analysis, but the CVSS 9.8 score and unauthenticated network attack vector make this a high-priority issue for any WordPress site running the plugin with a file-upload form field.
Privilege escalation in Essential Addons for Elementor (all versions ≤ 6.5.13) allows authenticated WordPress users with Author-level access or above to create new accounts with elevated roles such as Editor by exploiting the plugin's `register_user` function, which applies an incomplete role denylist that blocks only 'administrator' while leaving other privileged roles unguarded. The network-accessible, low-complexity attack vector (AV:N/AC:L/PR:L) makes this realistic for any site with the plugin's registration widget exposed and populated with low-trust authors. No public exploit has been identified at time of analysis and CISA KEV status is absent, but the plugin's broad WordPress deployment increases aggregate exposure.
SQL Injection in the Unlimited Elements for Elementor WordPress plugin (versions up to and including 2.0.7) allows authenticated attackers holding at least Contributor-level access to extract sensitive database contents by injecting arbitrary SQL into the 'data[filter_search]' parameter of the get_cat_addons AJAX action. The vulnerability is the product of two chained weaknesses: the plugin's normalizeAjaxInputData() function actively undoes WordPress's built-in magic-quote protection via stripslashes(), and the deprecated wpdb->_escape() method then fails to safely handle the exposed input before it is concatenated directly into a LIKE clause. Reported by Wordfence and tracked as EUVD-2026-30214, no public exploit code has been identified at time of analysis and CISA KEV does not list this CVE, though the confidentiality impact is rated High, enabling full database read access for a successful attacker.
Blind SQL injection in Xpro Elementor Addons allows authenticated attackers to extract sensitive database contents including user credentials and site configurations. The vulnerability affects WordPress sites running plugin versions up to 1.5.1 and requires only low-privileged authenticated access (CVSS PR:L) with no user interaction. EPSS data not available, but the low attack complexity (AC:L) combined with changed scope (S:C) indicates potential for cross-boundary impact beyond the vulnerable plugin. No active exploitation confirmed in CISA KEV at time of analysis.
Stored cross-site scripting in Sky Addons plugin for WordPress (versions up to 3.3.2) allows authenticated attackers with Author-level access to inject arbitrary JavaScript via the REST API that persists in the `sky-custom-scripts` post type and executes on all frontend pages for every site visitor. The vulnerability stems from insufficient input sanitization on the `sky_script_content` meta field combined with lack of output escaping during frontend rendering. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires only Author-level privileges and standard REST API access, making it a practical threat in multi-user WordPress environments.
Happy Addons for Elementor through version 3.20.8 exposes sensitive system information to unauthorized users via an information disclosure vulnerability, allowing remote unauthenticated attackers to retrieve embedded sensitive data without authentication or user interaction. The vulnerability affects all installations of the plugin up to and including version 3.20.8, with a CVSS score of 5.3 reflecting the confidentiality impact of exposed system data.
Missing authorization in Royal Elementor Addons before version 1.7.1053 allows unauthenticated remote attackers to read sensitive information via incorrectly configured access control security levels. The vulnerability affects the WordPress plugin and exposes confidential data without requiring user authentication or interaction, impacting all installations below the patched version.
Stored cross-site scripting (XSS) in WProyal Royal Elementor Addons before version 1.7.1053 allows authenticated users with limited privileges to inject malicious scripts into web pages, which execute in the browsers of site visitors. The vulnerability requires user interaction (UI:R in CVSS) and is limited to users with login credentials (PR:L), but once stored, affects all visitors regardless of their privileges. An attacker with contributor or editor access can compromise website visitors, steal session cookies, or perform actions on their behalf.
ElementsKit Elementor Addons plugin for WordPress versions up to 3.8.2 allows unauthenticated attackers to overwrite Elementor widget content via a missing capability check in the Live_Action::reset() function. By crafting a URL with specific GET parameters (post and action=elementor), attackers can permanently replace any elementskit_widget custom post type's design, text, and configurations with a blank template, causing data loss without requiring authentication or user interaction.
Stored Cross-Site Scripting in Royal Addons for Elementor's Instagram Feed widget allows authenticated contributors and above to inject arbitrary JavaScript via the 'instagram_follow_text' setting, which executes in the browsers of all users viewing the affected page. The vulnerability affects all versions up to 1.7.1056 and requires the Instagram Feed widget to be previously configured with a valid access token by an administrator. No public exploit code or active exploitation has been confirmed at this time.
Stored Cross-Site Scripting in Royal Elementor Addons WordPress plugin allows unauthenticated remote attackers to inject malicious scripts that execute in victim browsers. The vulnerability exists in all versions up to 1.7.1056 due to a publicly leaked static nonce that bypasses authentication checks for the wpr_update_form_action_meta AJAX endpoint. Combined with insufficient input sanitization on the 'status' parameter, attackers can inject persistent XSS payloads without authentication. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.
Stored Cross-Site Scripting in Premium Addons for Elementor plugin for WordPress up to version 4.11.70 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript via the 'custom_svg' parameter, which executes in the browsers of users viewing the affected pages. The vulnerability stems from insufficient input sanitization and output escaping on a user-controllable SVG parameter. No public exploit code or active exploitation has been identified at the time of analysis.
Unauthenticated attackers can modify form action metadata on WordPress posts through the Royal Addons for Elementor plugin (versions up to 1.7.1056) due to a missing capability check on the wpr_update_form_action_meta AJAX endpoint. The endpoint registers on both wp_ajax and wp_ajax_nopriv hooks, is accessible without authentication, and relies on a nonce that is publicly exposed in frontend JavaScript, allowing attackers to bypass the nonce protection and alter email, Mailchimp, and webhook settings on any post. This enables attackers to hijack form submissions, exfiltrate data via modified webhook URLs, or redirect emails to attacker-controlled addresses without any user interaction or special configuration required.
Server-Side Request Forgery (SSRF) in Royal Elementor Addons plugin for WordPress allows authenticated attackers with Contributor-level permissions to bypass URL validation by including 'docs.google.com/spreadsheets' in query parameters, enabling requests to arbitrary internal URLs and retrieval of sensitive data from private network services. Affects versions up to 1.7.1057. The CVSS vector indicates network-based attack with no authentication required (PR:N), contradicting the description's statement of Contributor-level requirement-affected site operators should verify actual privilege requirements with vendor advisory. No active exploitation confirmed (not in CISA KEV), but detailed source code references enable rapid POC development.
Stored cross-site scripting in Jeg Kit for Elementor WordPress plugin versions up to 3.1.0 allows authenticated contributors and above to inject arbitrary JavaScript via the 'sg_content_number_prefix' parameter, which executes when any user accesses the affected page. The vulnerability stems from insufficient input sanitization and output escaping in the Fun Fact widget element, affecting any WordPress site using this popular page builder addon. CVSS score of 6.4 reflects the network attack vector and broad scope, though exploitation requires valid contributor-level credentials.
Stored cross-site scripting in Elementor Website Builder plugin for WordPress up to version 4.0.4 allows authenticated contributors to inject arbitrary JavaScript via form-encoded REST API requests to the _elementor_data meta field. The vulnerability bypasses sanitization by exploiting a json_decode() failure on non-JSON request bodies, causing unsanitized data to be stored and later output without escaping in widget rendering functions. Contributors and above can inject malicious scripts that execute for all users viewing affected pages, compromising site integrity and user sessions.
DOM-based cross-site scripting (XSS) in CodexThemes TheGem Theme Elements plugin for Elementor allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers when user interaction occurs. The vulnerability affects versions before 5.12.1.1 and requires authenticated access and user interaction to exploit, limiting real-world risk compared to network-vector XSS but still enabling session hijacking, credential theft, or unauthorized admin actions on WordPress sites using this plugin.
Stored cross-site scripting in Royal Elementor Addons plugin for WordPress up to version 1.7.1056 allows authenticated attackers with Author-level access to inject arbitrary JavaScript via image alt attributes in the Image Grid/Slider/Carousel widget. The vulnerability results from insufficient output escaping in the render_post_thumbnail() function, where wp_kses_post() is used instead of esc_attr() for HTML attribute context. Malicious scripts execute in the browsers of any user viewing pages containing the compromised image widget, potentially enabling session hijacking, credential theft, or plugin/theme manipulation.
BetterDocs plugin for WordPress versions up to 4.3.11 allows authenticated subscribers and higher to trigger arbitrary OpenAI API calls using the site's configured API key due to missing capability checks in the generate_openai_content_callback() function. An attacker with subscriber-level access can supply arbitrary prompts to exhaust the site owner's paid AI API quota without authorization, resulting in unauthorized financial impact and service degradation. No public exploit code or active exploitation has been identified at time of analysis.
The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days
Stored XSS in Flipbox Addon for Elementor WordPress plugin (versions ≤2.1.1) allows authenticated authors to inject malicious scripts via the button URL custom_attributes field due to insufficient validation of attribute names. The vulnerability uses esc_html() on attribute names, which fails to block event handler attributes like onmouseover and onclick, enabling arbitrary JavaScript execution in pages viewed by any user. CVSS 6.4 reflects the requirement for authenticated author-level access, but the stored nature and cross-site scope increase practical risk. Patch available in version 2.1.2.
Path traversal in Unlimited Elements for Elementor (WordPress plugin ≤2.0.6) enables authenticated attackers with Author-level privileges to read arbitrary files from the web server via crafted URLs in the Repeater JSON/CSV URL parameter. The vulnerability chains multiple sanitization failures in URLtoRelative(), urlToPath(), and cleanPath() functions, allowing traversal sequences like ../../../../etc/passwd to bypass domain-stripping logic and access sensitive files including wp-config.php. CVSS 7.5 indicates high confidentiality impact. EPSS and KEV data not provided; no public exploit confirmed at time of analysis. Wordfence reports the issue with detailed code references to vulnerable functions in versions through 2.0.6.
Stored Cross-Site Scripting in Royal Addons for Elementor plugin versions up to 1.7.1056 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the Instagram Feed widget's 'instagram_follow_text' setting, executing malicious scripts whenever users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the widget configuration handler. CVSS 6.4 reflects the moderate severity (network-accessible, no user interaction required from victims, but limited scope to stored XSS with low confidentiality and integrity impact). No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting in BetterDocs WordPress plugin versions up to 4.3.8 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript into pages via the 'betterdocs_feedback_form' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users who view affected pages, enabling account compromise, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at this time.
Livemesh Addons for Elementor plugin versions up to 9.0 allow authenticated attackers with Subscriber-level access to inject arbitrary JavaScript via the plugin settings page through missing authorization checks on the AJAX handler lae_admin_ajax() and insufficient output escaping on checkbox fields. The injected scripts execute whenever an administrator accesses the settings page if the attacker obtains a valid nonce, which can be leaked due to improper access control on settings pages. This combination of authorization bypass and stored XSS affects all WordPress installations running the vulnerable plugin.
Local file inclusion in Livemesh Addons for Elementor (WordPress plugin) ≤9.0 allows authenticated attackers with Contributor-level privileges to include and execute arbitrary PHP files via recursive directory traversal bypass in widget template parameters. The vulnerability requires Elementor plugin installation and either admin interaction (social engineering) or direct Contributor access. CVSS 8.8 reflects high impact (RCE potential) but limited by authentication requirement. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists (Wordfence disclosure with technical details and code references).
Missing Authorization vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1056.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection.This issue affects Element Pack Elementor Addons: from n/a through <= 8.4.2.
Missing authorization bypass in Vertex Addons for Elementor (WordPress plugin, all versions ≤1.6.4) allows authenticated attackers with Subscriber-level privileges to install and activate arbitrary WordPress plugins. The activate_required_plugins() function checks current_user_can('install_plugins') capability but fails to halt execution on denial, permitting installation/activation to proceed before error response is sent. CVSS 8.8 (High) reflects authenticated (PR:L) network attack enabling high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.
Stored cross-site scripting (XSS) in WPBITS Addons For Elementor Page Builder versions up to 1.8.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability stems from improper input sanitization during web page generation, enabling an attacker to persistently compromise site content and steal session tokens or perform administrative actions on behalf of legitimate users. EPSS exploitation probability is very low at 0.03%, indicating limited real-world attack likelihood despite moderate CVSS severity.
DOM-based cross-site scripting (XSS) in Wealcoder Animation Addons for Elementor through version 2.6.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with the click of a link. The vulnerability stems from improper input neutralization during web page generation and affects all versions of the plugin up to and including 2.6.1. With an EPSS score of 0.03% and no confirmed active exploitation, this represents a lower-priority vulnerability despite the authenticated attack requirement.
Stored cross-site scripting (XSS) in Livemesh Addons for Elementor through version 9.0 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of administrators and other site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling attackers to persistently compromise site functionality and steal administrative credentials or session tokens. CVSS 6.5 reflects moderate severity; EPSS 0.03% indicates very low real-world exploitation probability, suggesting this requires specific user interaction and authenticated access to exploit effectively.
Stored Cross-Site Scripting (XSS) in Themesflat Addons for Elementor up to version 2.3.2 allows authenticated users with low privileges to inject malicious scripts that execute in the context of site visitors' browsers. An attacker with contributor-level access or higher can craft input fields within the plugin's admin interface to persistently store JavaScript code, which then executes whenever other users (including administrators) view the affected content. The vulnerability has low real-world exploitation risk (EPSS 0.03%, percentile 8%) despite its CVSS 6.5 rating, as it requires authenticated user interaction and user-initiated viewing of affected pages.
Stored cross-site scripting in Element Pack Addons for Elementor plugin versions up to 8.4.2 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via malicious SVG files through the SVG Image Widget. The vulnerability exists in the render_svg() function, which fetches remote SVG content and echoes it directly to pages without proper sanitization, enabling persistent XSS attacks affecting all users who view pages containing the compromised widget. No public exploit code or active exploitation has been identified at the time of analysis.
Stored Cross-Site Scripting in The Plus Addons for Elementor plugin for WordPress (all versions up to 6.4.9) allows authenticated attackers with contributor-level access and above to inject arbitrary JavaScript into pages via the Progress Bar shortcode due to insufficient input sanitization and output escaping. When other users access affected pages, the injected scripts execute in their browsers, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting in Prime Slider - Addons for Elementor plugin allows authenticated users with Author-level access to inject arbitrary JavaScript through the 'follow_us_text' setting in the Mount widget. The vulnerability exists in all versions up to 4.1.10 due to missing output escaping in the render_social_link() function, enabling attackers to execute malicious scripts whenever pages containing the injected widget are viewed. No public exploit code or active exploitation has been confirmed at this time.
Stored Cross-Site Scripting in Elementor Website Builder plugin for WordPress allows authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript into page content via insufficiently sanitized widget parameters. The injected scripts execute in the browsers of all users accessing affected pages, potentially enabling account hijacking, malware distribution, or defacement. CVSS 6.4 reflects the requirement for authenticated access but the broad scope of impact across all site visitors.
Stored Cross-Site Scripting in Xpro Addons - 140+ Widgets for Elementor plugin up to version 1.4.20 allows authenticated contributors and above to inject malicious scripts via the Pricing Widget's 'onClick Event' setting, which execute in the browsers of any user viewing the affected pages. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent XSS attacks that compromise site integrity and user sessions. No active exploitation has been confirmed, but the low attack complexity and contributor-level access requirement present a moderate real-world risk for WordPress sites with contributor user bases.
Stored Cross-Site Scripting in ElementsKit Elementor Addons and Templates plugin (versions up to 3.7.9) allows authenticated contributors and above to inject malicious scripts via the 'ekit_tab_title' parameter in the Simple Tab widget due to insufficient input sanitization and output escaping. Injected scripts execute when users access affected pages. No public exploit code or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting (XSS) in Royal Addons for Elementor plugin allows authenticated contributors and above to inject arbitrary JavaScript via the 'button_text' parameter, affecting all versions through 1.7.1049. The vulnerability stems from insufficient input sanitization and output escaping, enabling attackers to execute malicious scripts in the context of any user visiting an affected page. No public exploit code or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting (XSS) in Xpro Addons - 140+ Widgets for Elementor plugin for WordPress up to version 1.4.24 allows authenticated contributors and above to inject malicious scripts via the Icon Box widget that execute for all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping, making it a direct code injection risk in a widely-used page builder extension. CVSS 6.4 reflects moderate severity with limited direct impact (confidentiality and integrity) but cross-site scope; no public exploit code or active exploitation has been identified at time of analysis.
King Addons for Elementor plugin versions up to 51.1.38 contain multiple DOM-Based Stored Cross-Site Scripting vulnerabilities affecting authenticated Contributor+ users. The plugin improperly escapes user input in JavaScript inline event handlers and uses unsafe DOM manipulation methods in widget settings, allowing attackers with Contributor-level access to inject arbitrary JavaScript that executes when pages are accessed or previewed in the Elementor editor. A partial patch was released in version 5.1.51, though the version numbering discrepancy suggests incomplete remediation across all vulnerable code paths.
Authenticated attackers with Contributor-level access or above can extract all form submissions from the Database for Contact Form 7, WPforms, Elementor Forms WordPress plugin (versions up to 1.4.9) via a missing capability check in the entries_shortcode() function, exposing names, emails, phone numbers, and other sensitive form data. The vulnerability requires existing WordPress user credentials but no administrative privileges, making it accessible to low-privileged users who may be granted contributor roles during normal site operations. No public exploit code or active exploitation has been confirmed at the time of analysis.
The Elementor Website Builder plugin for WordPress contains an authorization bypass vulnerability in the is_allowed_to_read_template() function that incorrectly permits authenticated users with contributor-level privileges to read private and draft template content. Attackers can exploit this through the 'get_template_data' action of the 'elementor_ajax' endpoint by supplying a 'template_id' parameter, resulting in exposure of sensitive template information. The vulnerability affects all versions up to and including 3.35.7 with a CVSS score of 4.3 (low-to-moderate severity) and requires low-complexity exploitation with authenticated access.
A Stored Cross-Site Scripting (XSS) vulnerability exists in ThemeHunk's Contact Form & Lead Form Elementor Builder plugin for WordPress, affecting all versions through 2.0.1. An attacker can inject malicious scripts into form fields that are stored in the database and executed in the browsers of administrators or other users who view the submitted data, potentially leading to account takeover, data theft, or malware distribution. No CVSS score or EPSS data is currently available, and active exploitation status is unknown; however, the vulnerability is confirmed by Patchstack and tracked under ENISA EUVD-2026-15903.
WP Insightly plugin versions 1.1.5 and earlier for Contact Form 7, WPForms, Elementor, Formidable, and Ninja Forms contain an authorization bypass that allows unauthenticated attackers to modify data through misconfigured access controls. An attacker can exploit this vulnerability to perform unauthorized actions on forms and contacts without proper permissions. No patch is currently available.
The CRM Perks Integration plugin for Mailchimp (versions through 1.2.2) contains a missing authorization flaw that allows authenticated attackers to modify data through incorrectly configured access controls. An attacker with user-level permissions could bypass authorization checks to alter form submissions and contact information across integrated platforms including Contact Form 7, WPForms, Elementor, and Ninja Forms. No patch is currently available for this vulnerability.
Vertex Addons for Elementor through version 1.6.4 contains an authorization bypass vulnerability that allows authenticated attackers to modify content or settings they should not have access to due to improperly configured access controls. An attacker with low-level user privileges can escalate their capabilities by exploiting the misconfigured security levels. No patch is currently available for this vulnerability.
A blind SQL injection vulnerability exists in ElementInvader Addons for Elementor, a WordPress plugin, affecting all versions through 1.4.2. An attacker can exploit this CWE-89 vulnerability to extract sensitive data from the underlying database without authentication, leveraging the plugin's improper neutralization of special SQL elements. No CVSS score, EPSS metric, or active KEV designation is currently available, but the blind SQL injection vector indicates meaningful exploitability risk requiring immediate patching.
King Addons for Elementor contains an information disclosure vulnerability that exposes sensitive API keys and secrets in HTML source code through the render_full_form function. Unauthenticated attackers can extract Mailchimp, Facebook, and Google API credentials from affected WordPress sites running the plugin up to version 51.1.49 that have the Premium license installed. This vulnerability has a CVSS score of 5.3 with a network attack vector requiring no authentication, making it easily discoverable and exploitable at scale.
The Sina Extension for Elementor plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Fancy Text Widget and Countdown Widget that allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript into pages through insufficiently sanitized DOM attributes. When users visit pages containing the malicious widgets, the injected scripts execute in their browsers, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions on behalf of the victim. The vulnerability affects all versions up to and including 3.7.0, with a CVSS score of 6.4 indicating medium severity, though the impact is amplified by the stored nature of the XSS and the broad audience of WordPress sites using this popular page builder extension.
The PQ Addons - Creative Elementor Widgets plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Section Title widget's html_tag parameter due to insufficient input sanitization and output escaping. All versions up to and including 1.0.0 are affected, allowing authenticated attackers with contributor-level access or above to inject arbitrary JavaScript that executes when users view affected pages. The vulnerability has a CVSS score of 6.4 (Medium) and exploits are possible since the attack requires only low privilege levels and no user interaction beyond page access.
Unauthenticated attackers can extract sensitive data from non-public custom post types in Royal Addons for Elementor WordPress plugin versions up to 1.7.1049 through improper access controls in the get_main_query_args() function. This allows exposure of private content including Contact Form 7 submissions and WooCommerce coupons without authentication. The vulnerability affects WordPress installations using this plugin and remains unpatched.
The Thim Kit for Elementor plugin for WordPress versions up to 1.3.7 allows unauthenticated attackers to access private and draft LearnPress course content through an improperly secured REST API endpoint that accepts arbitrary post status parameters. The vulnerability stems from missing input validation on the 'thim-ekit/archive-course/get-courses' endpoint, enabling information disclosure to any remote attacker without authentication or user interaction. No patch is currently available for this medium-severity flaw affecting WordPress installations using the vulnerable plugin.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows DOM-Based XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.1.3.
Missing Authorization vulnerability in Elementor Elementor Website Builder elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Website Builder: from n/a through <= 3.35.5.
A Stored Cross-Site Scripting (XSS) vulnerability exists in PowerPack Addons for Elementor (powerpack-lite-for-elementor) versions up to 2.9.9, allowing authenticated attackers with limited privileges to inject malicious scripts that persist in the application and execute in other users' browsers. While the CVSS score is moderate (6.5) and EPSS exploitation probability is low (0.03%, percentile 8%), the vulnerability requires user interaction (UI:R) and authenticated access (PR:L), reducing real-world exploitability. No evidence of active exploitation (KEV status) or public proof-of-concept has been identified at this time.
A Stored Cross-Site Scripting (XSS) vulnerability exists in Magical Addons For Elementor, a WordPress plugin for the Elementor page builder, affecting versions up to and including 1.4.1. An authenticated attacker with low privileges can inject malicious JavaScript code that persists in the application and executes in the browsers of other users, potentially leading to session hijacking, credential theft, or defacement. This is a post-authentication vulnerability with user interaction required, making it moderately exploitable in real-world WordPress environments where multiple users collaborate on page design.
The RadiusTheme ShopBuilder plugin for WordPress (versions up to 3.2.4) improperly exposes sensitive system information through its Elementor WooCommerce integration, allowing unauthenticated attackers to retrieve embedded sensitive data. This information disclosure has a low confidentiality impact with no authentication or user interaction required. No patch is currently available for affected installations.
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in Elementor Website Builder through version 3.35.5, allowing authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. An attacker can exploit this via a crafted page or element to steal session cookies, redirect users, or perform actions on their behalf. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), but carries a moderate CVSS score of 6.5 with cross-site impact (S:C), indicating meaningful business risk despite not being unauthenticated.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Retrieve Embedded Sensitive Data.This issue affects Premium Addons for Elementor: from n/a through <= 4.11.53.
Cross-Site Request Forgery in Premium Addons for Elementor plugin versions up to 4.11.53 allows unauthenticated remote attackers to create arbitrary Elementor templates by exploiting missing nonce validation in the 'insert_inner_template' function. An attacker must trick a site administrator or user with edit_posts capability into clicking a malicious link, but no public exploit code has been identified. The EPSS score of 0.02% indicates this vulnerability has very low exploitation probability in practice despite the CVSS 4.3 rating.
Unauthenticated attackers can access private, draft, and pending template content in Premium Addons for Elementor WordPress plugin (versions up to 4.11.53) due to a missing capability check in the 'get_template_content' function. This authentication bypass allows unauthorized disclosure of sensitive template data without requiring user interaction or special privileges. A vendor patch is available, and the vulnerability carries a moderate CVSS score of 5.3 with low technical impact but confirmed accessibility to restricted resources.
Missing Authorization vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Addons for Elementor: from n/a through <= 6.2.4.
The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Widget in all versions up to, and including, 2.7.9.4 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Stored cross-site scripting (XSS) in CyberChimps Responsive Addons for Elementor versions up to 1.7.3 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors, enabling credential theft, malware distribution, or website defacement. The vulnerability requires user interaction and affects WordPress installations using this plugin; exploitation probability is low (EPSS 0.04%) but impact is moderate given the stored nature of the attack.