Vulnerabilities > Elementor

DATE CVE VULNERABILITY TITLE RISK
2021-04-05 CVE-2021-24206 Cross-site Scripting vulnerability in Elementor Website Builder
In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a ‘title_size’ parameter.
network
elementor CWE-79
3.5
2021-04-05 CVE-2021-24205 Cross-site Scripting vulnerability in Elementor Website Builder
In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a ‘title_size’ parameter.
network
elementor CWE-79
3.5
2021-04-05 CVE-2021-24204 Cross-site Scripting vulnerability in Elementor Website Builder
In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) accepts a ‘title_html_tag’ parameter.
network
elementor CWE-79
3.5
2021-04-05 CVE-2021-24203 Cross-site Scripting vulnerability in Elementor Website Builder
In the Elementor Website Builder WordPress plugin before 3.1.4, the divider widget (includes/widgets/divider.php) accepts an ‘html_tag’ parameter.
network
elementor CWE-79
3.5
2021-04-05 CVE-2021-24202 Cross-site Scripting vulnerability in Elementor Website Builder
In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a ‘header_size’ parameter.
network
elementor CWE-79
3.5
2021-04-05 CVE-2021-24201 Cross-site Scripting vulnerability in Elementor Website Builder
In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter.
network
elementor CWE-79
3.5
2021-01-06 CVE-2020-36171 Cross-site Scripting vulnerability in Elementor Website Builder
The Elementor Website Builder plugin before 3.0.14 for WordPress does not properly restrict SVG uploads.
network
elementor CWE-79
4.3
2020-10-07 CVE-2020-26596 Improper Input Validation vulnerability in Elementor PRO 3.0.5
The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet.
network
low complexity
elementor CWE-20
critical
9.0
2020-09-16 CVE-2020-20406 Cross-site Scripting vulnerability in Elementor Page Builder
A stored XSS vulnerability exists in the Custom Link Attributes control Affect function in Elementor Page Builder 2.9.2 and earlier versions.
network
elementor CWE-79
3.5
2020-08-31 CVE-2020-15020 Cross-site Scripting vulnerability in Elementor Page Builder 2.9.0
An issue was discovered in the Elementor plugin through 2.9.13 for WordPress.
network
elementor CWE-79
3.5