Elementor Website Builder — known CVE vulnerabilities
Every CVE whose affected-product data names Elementor Website Builder, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (37)
CVE-2023-48777 — CVSS 9.9 (critical): Unrestricted Upload of File with Dangerous Type vulnerability in Elementor.Com Elementor Website Builder.This issue affects Elementor…
CVE-2020-7109 — CVSS 9.8 (critical): The Elementor Page Builder plugin before 2.8.4 for WordPress does not sanitize data during creation of a new template.
CVE-2022-1329 — CVSS 8.8 (high): The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing…
CVE-2024-24934 — CVSS 8.5 (high): Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Elementor Elementor Website Builder allows…
CVE-2023-0329 — CVSS 7.2 (high): The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL parameter in the Tools…
CVE-2020-20634 — CVSS 6.5 (medium): Elementor 2.9.5 and below WordPress plugin allows authenticated users to activate its safe mode feature. This can be exploited to disable…
CVE-2023-47505 — CVSS 6.5 (medium): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor.Com Elementor allows…
CVE-2023-47504 — CVSS 6.5 (medium): Improper Authentication vulnerability in Elementor Elementor Website Builder allows Accessing Functionality Not Properly Constrained by…
CVE-2024-54444 — CVSS 6.5 (medium): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Elementor Website Builder…
CVE-2024-0506 — CVSS 6.4 (medium): The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via…
CVE-2024-13445 — CVSS 6.4 (medium): The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the…
CVE-2024-2117 — CVSS 6.4 (medium): The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the…
CVE-2024-4107 — CVSS 6.4 (medium): The Elementor Website Builder – More than Just a Page Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via…
CVE-2024-4619 — CVSS 6.4 (medium): The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting…
CVE-2020-36703 — CVSS 6.4 (medium): The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG image uploads in versions up to…
CVE-2025-3075 — CVSS 6.4 (medium): The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the…
CVE-2024-8236 — CVSS 6.4 (medium): The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the…
CVE-2024-10453 — CVSS 6.4 (medium): The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the…
CVE-2021-24891 — CVSS 6.1 (medium): The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious…
CVE-2020-36171 — CVSS 6.1 (medium): The Elementor Website Builder plugin before 3.0.14 for WordPress does not properly restrict SVG uploads.
CVE-2022-4953 — CVSS 6.1 (medium): The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DOM. This…
CVE-2024-37437 — CVSS 5.5 (medium): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Elementor Website Builder…
CVE-2020-15020 — CVSS 5.4 (medium): An issue was discovered in the Elementor plugin through 2.9.13 for WordPress. An authenticated attacker can achieve stored XSS via the Name…
CVE-2020-8426 — CVSS 5.4 (medium): The Elementor plugin before 2.8.5 for WordPress suffers from a reflected XSS vulnerability on the elementor-system-info page. These can be…
CVE-2021-24201 — CVSS 5.4 (medium): In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’…
CVE-2021-24202 — CVSS 5.4 (medium): In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a…
CVE-2021-24203 — CVSS 5.4 (medium): In the Elementor Website Builder WordPress plugin before 3.1.4, the divider widget (includes/widgets/divider.php) accepts an ‘html_tag’…
CVE-2021-24204 — CVSS 5.4 (medium): In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) accepts a…
CVE-2021-24205 — CVSS 5.4 (medium): In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a…
CVE-2021-24206 — CVSS 5.4 (medium): In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a…
CVE-2024-2120 — CVSS 5.4 (medium): The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post Navigation widget…
CVE-2024-5416 — CVSS 5.4 (medium): The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the…
CVE-2025-8081 — CVSS 4.9 (medium): The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the…
CVE-2024-6757 — CVSS 4.3 (medium): The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Basic Information Exposure in all…
CVE-2024-8494 — CVSS 4.3 (medium): The Elementor Website Builder Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and…