Product
elementor website builder
37 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-8081
CVE-2025-3075
CVE-2024-54444
CVE-2024-13445
CVE-2024-8494
CVE-2024-10453
CVE-2024-8236
CVE-2024-6757
CVE-2024-5416
CVE-2024-37437
CVE-2023-33922
CVE-2024-4619
CVE-2024-24934
CVE-2024-4107
CVE-2023-47504
CVE-2024-2117
CVE-2024-2120
CVE-2023-48777
CVE-2024-0506
CVE-2023-47505
CVE-2022-4953
CVE-2020-36703
CVE-2023-0329
CVE-2022-29455
CVE-2022-1329
CVE-2021-24891
CVE-2021-24206
CVE-2021-24205
CVE-2021-24204
CVE-2021-24203
CVE-2021-24202
CVE-2021-24201
CVE-2020-36171
CVE-2020-15020
CVE-2020-20634
CVE-2020-8426
CVE-2020-7109
< 3.30.3
The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Impor
< 3.29.1
The Elementor Website Builder - More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi
<= 3.25.10
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Website
< 3.27.5
The Elementor Website Builder - More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi
< 3.25.11
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and
<= 3.25.9
The Elementor Website Builder - More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi
<= 3.25.7
The Elementor Website Builder - More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi
< 3.24.6
The Elementor Website Builder - More than Just a Page Builder plugin for WordPress is vulnerable to Basic Information Exposure in
< 3.24.0
The Elementor Website Builder - More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi
< 3.22.2
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Website
< 3.13.3
Missing Authorization vulnerability in Elementor Website Builder.This issue affects Elementor Website Builder: from n/a
< 3.21.5
The Elementor Website Builder - More than Just a Page Builder plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Sc
< 3.19.1
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Elementor Website Builde
< 3.21.1
The Elementor Website Builder - More than Just a Page Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scriptin
< 3.16.5
Improper Authentication vulnerability in Elementor Website Builder allows Accessing Functionality Not Properly Constrain
< 3.20.3
The Elementor Website Builder - More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi
< 3.20.2
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post Navigati
>= 3.3.0 and < 3.18.2
Unrestricted Upload of File with Dangerous Type vulnerability in Elementor.Com Elementor Website Builder.This issue affects Elemen
< 3.19.0
The Elementor Website Builder - More than Just a Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting
<= 3.16.4
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor.Com Elementor allo
< 3.5.5
The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DO
<= 2.9.7
The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG image uploads in versions
< 3.12.2
The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL parameter in th
<= 3.5.5
DOM-based Reflected Cross-Site Scripting (XSS) vulnerability in Elementor's Elementor Website Builder plugin <= 3.5.5 versions.
>= 3.6.0 and <= 3.6.2
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missin
> 1.5.0 and < 3.1.4
The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malic
< 3.1.4
In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a �
< 3.1.4
In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a ‘t
< 3.1.4
In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) accepts a �
< 3.1.4
In the Elementor Website Builder WordPress plugin before 3.1.4, the divider widget (includes/widgets/divider.php) accepts an ‘ht
< 3.1.4
In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a ‘hea
< 3.1.4
In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘ht
< 3.0.14
The Elementor Website Builder plugin before 3.0.14 for WordPress does not properly restrict SVG uploads.
<= 2.9.13
An issue was discovered in the Elementor plugin through 2.9.13 for WordPress. An authenticated attacker can achieve stored XSS via
<= 2.9.5
Elementor 2.9.5 and below WordPress plugin allows authenticated users to activate its safe mode feature. This can be exploited to
< 2.8.5
The Elementor plugin before 2.8.5 for WordPress suffers from a reflected XSS vulnerability on the elementor-system-info page. Thes
< 2.8.4
The Elementor Page Builder plugin before 2.8.4 for WordPress does not sanitize data during creation of a new template.