Vulnerabilities > Elementor

DATE CVE VULNERABILITY TITLE RISK
2022-04-19 CVE-2022-1329 Missing Authorization vulnerability in Elementor Website Builder
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
network
low complexity
elementor CWE-862
6.5
2021-11-23 CVE-2021-24891 Cross-site Scripting vulnerability in Elementor Website Builder
The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue.
network
elementor CWE-79
4.3
2021-04-05 CVE-2021-24206 Cross-site Scripting vulnerability in Elementor Website Builder
In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a ‘title_size’ parameter.
network
elementor CWE-79
3.5
2021-04-05 CVE-2021-24205 Cross-site Scripting vulnerability in Elementor Website Builder
In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a ‘title_size’ parameter.
network
elementor CWE-79
3.5
2021-04-05 CVE-2021-24204 Cross-site Scripting vulnerability in Elementor Website Builder
In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) accepts a ‘title_html_tag’ parameter.
network
elementor CWE-79
3.5
2021-04-05 CVE-2021-24203 Cross-site Scripting vulnerability in Elementor Website Builder
In the Elementor Website Builder WordPress plugin before 3.1.4, the divider widget (includes/widgets/divider.php) accepts an ‘html_tag’ parameter.
network
elementor CWE-79
3.5
2021-04-05 CVE-2021-24202 Cross-site Scripting vulnerability in Elementor Website Builder
In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a ‘header_size’ parameter.
network
elementor CWE-79
3.5
2021-04-05 CVE-2021-24201 Cross-site Scripting vulnerability in Elementor Website Builder
In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter.
network
elementor CWE-79
3.5
2021-01-06 CVE-2020-36171 Cross-site Scripting vulnerability in Elementor Website Builder
The Elementor Website Builder plugin before 3.0.14 for WordPress does not properly restrict SVG uploads.
network
elementor CWE-79
4.3
2020-10-07 CVE-2020-26596 Improper Input Validation vulnerability in Elementor PRO 3.0.5
The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet.
network
low complexity
elementor CWE-20
critical
9.0