Vulnerabilities > Elementor > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-07 | CVE-2020-36703 | Cross-site Scripting vulnerability in Elementor Website Builder The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG image uploads in versions up to, and including 2.9.7 This makes it possible for authenticated attackers with the upload_files capability to inject arbitrary web scripts in pages that will execute whenever a user accesses the page with the stored web scripts. | 5.4 |
| 2022-06-13 | CVE-2022-29455 | Unspecified vulnerability in Elementor Website Builder DOM-based Reflected Cross-Site Scripting (XSS) vulnerability in Elementor's Elementor Website Builder plugin <= 3.5.5 versions. | 6.1 |
| 2021-11-23 | CVE-2021-24891 | Unspecified vulnerability in Elementor Website Builder The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue. | 6.1 |
| 2021-04-05 | CVE-2021-24206 | Cross-site Scripting vulnerability in Elementor Website Builder In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a ‘title_size’ parameter. | 5.4 |
| 2021-04-05 | CVE-2021-24205 | Cross-site Scripting vulnerability in Elementor Website Builder In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a ‘title_size’ parameter. | 5.4 |
| 2021-04-05 | CVE-2021-24204 | Cross-site Scripting vulnerability in Elementor Website Builder In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) accepts a ‘title_html_tag’ parameter. | 5.4 |
| 2021-04-05 | CVE-2021-24203 | Cross-site Scripting vulnerability in Elementor Website Builder In the Elementor Website Builder WordPress plugin before 3.1.4, the divider widget (includes/widgets/divider.php) accepts an ‘html_tag’ parameter. | 5.4 |
| 2021-04-05 | CVE-2021-24202 | Cross-site Scripting vulnerability in Elementor Website Builder In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a ‘header_size’ parameter. | 5.4 |
| 2021-04-05 | CVE-2021-24201 | Cross-site Scripting vulnerability in Elementor Website Builder In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter. | 5.4 |
| 2021-01-06 | CVE-2020-36171 | Cross-site Scripting vulnerability in Elementor Website Builder The Elementor Website Builder plugin before 3.0.14 for WordPress does not properly restrict SVG uploads. | 6.1 |