Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

elemntor — Vulnerabilities & Security Advisories 22

Browse all 22 CVE security advisories affecting elemntor. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Elementor is a widely deployed WordPress page builder plugin that enables users to design custom layouts through a drag-and-drop interface. With twenty-two recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, particularly Remote Code Execution (RCE) and Cross-Site Scripting (XSS). These vulnerabilities often stem from insufficient input validation and improper access controls, allowing attackers to escalate privileges or inject malicious scripts. Notable incidents include multiple RCE exploits that granted unauthorized administrators full control over affected sites, highlighting risks associated with its extensive feature set and third-party add-on ecosystem. The high volume of CVEs underscores the challenges of maintaining security in complex, user-generated content platforms. While the developer actively issues patches, the plugin’s popularity makes it a frequent target for automated attacks, necessitating rigorous updates and strict permission management for site administrators to mitigate potential breaches effectively.

Top products by elemntor: Elementor Website Builder – more than just a page builder Ally – Web Accessibility & Usability Elementor Website Builder Activity Log – Monitor & Record User Changes Site Mailer – SMTP Replacement, Email API Deliverability & Email Log Temporary Login
CVE IDTitleCVSSSeverityPublished
CVE-2026-7567 Temporary Login <= 1.0.0 - Authentication Bypass to Account Takeover — Temporary LoginCWE-288 9.8 Critical2026-05-01
CVE-2026-6127 Elementor Website Builder <= 4.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API — Elementor Website Builder – more than just a page builderCWE-79 6.4 Medium2026-05-01
CVE-2025-14732 Elementor Website Builder <= 3.35.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API — Elementor Website Builder – more than just a page builderCWE-87 6.4 Medium2026-04-08
CVE-2026-1206 Elementor Website Builder <= 3.35.7 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template — Elementor Website Builder – more than just a page builderCWE-639 4.3 Medium2026-03-26
CVE-2026-2413 Ally – Web Accessibility & Usability <= 4.0.3 - Unauthenticated SQL Injection via URL Path — Ally – Web Accessibility & UsabilityCWE-89 7.5 High2026-03-11
CVE-2025-11220 Elementor <= 3.33.3 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Text Path — Elementor Website Builder – more than just a page builderCWE-79 6.4 Medium2025-12-16
CVE-2025-10700 Ally - Web Accessibility & Usability <= 3.8.0 - Cross-Site Request Forgery to Plugin Settings Update — Ally – Web Accessibility & UsabilityCWE-352 4.3 Medium2025-10-16
CVE-2025-8081 Elementor <= 3.30.2 - Authenticated (Administrator+) Arbitrary File Read via Image Import — Elementor Website Builder – more than just a page builderCWE-22 4.9 Medium2025-08-12
CVE-2025-4566 Elementor <= 3.30.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Text Path Widget — Elementor Website Builder – more than just a page builderCWE-79 6.4 Medium2025-07-29
CVE-2025-3075 Elementor <= 3.29.0 - Authenticated (Contributor+) Stored Cross-Site Scripting — Elementor Website Builder – more than just a page builderCWE-79 6.4 Medium2025-07-29
CVE-2025-1319 Site Mailer <= 1.2.3 - Unauthenticated Stored Cross-Site Scripting — Site Mailer – SMTP Replacement, Email API Deliverability & Email LogCWE-79 7.2 High2025-02-28
CVE-2024-13445 Elementor Website Builder – More Than Just a Page Builder <= 3.27.4 - Authenticated (Contributor+) Stored Cross-Site Scripting — Elementor Website Builder – more than just a page builderCWE-79 6.4 Medium2025-02-20
CVE-2024-10453 Elementor Website Builder – More than Just a Page Builder <= 3.25.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typography Settings — Elementor Website Builder – more than just a page builderCWE-79 6.4 Medium2024-12-21
CVE-2024-8236 Elementor Website Builder – More than Just a Page Builder <= 3.25.7 - Authenticated (Contributor+) Stored Cross-Site Scripting — Elementor Website Builder – more than just a page builderCWE-79 6.4 Medium2024-11-26
CVE-2024-10788 Activity Log – Monitor & Record User Changes <= 2.11.1 - Unauthenticated Stored Cross-Site Scripting via Event Context — Activity Log – Monitor & Record User ChangesCWE-79 7.2 High2024-11-21
CVE-2024-6757 Elementor <= 3.23.5 - Authenticated (Contributor+) Basic Information Exposure via get_image_alt Function — Elementor Website Builder – more than just a page builderCWE-200 4.3 Medium2024-10-15
CVE-2024-5416 Elementor Website Builder – More than Just a Page Builder <= 3.23.4 - Authenticated (Contributor+) Stored Cross-Site Scripting in the URL Parameter in Multiple Widgets — Elementor Website Builder – more than just a page builderCWE-79 5.4 Medium2024-09-11
CVE-2024-4619 Elementor Website Builder – More than Just a Page Builder <= 3.21.5 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting — Elementor Website Builder – more than just a page builderCWE-79 6.4 Medium2024-05-21
CVE-2024-2117 Elementor Website Builder – More than Just a Page Builder <= 3.20.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Path Widget — Elementor Website Builder – more than just a page builderCWE-79 6.4 Medium2024-04-09
CVE-2024-0506 Elementor Website Builder – More than Just a Page Builder <= 3.18.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via get_image_alt — Elementor Website Builder – more than just a page builderCWE-79 6.4 Medium2024-02-20
CVE-2020-36703 Elementor Website Builder <= 2.9.7 - Authenticated Stored Cross-Site Scripting — Elementor Website Builder – more than just a page builderCWE-79 6.4 Medium2023-06-07
CVE-2022-1329 Elementor Website Builder 3.6.0 - 3.6.2 - Missing Authorization to Remote Code Execution — Elementor Website Builder CWE-862 8.8 High2022-04-19

This page lists every published CVE security advisory associated with elemntor. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.