Vulnerabilities and security researches forheader-footer-elementor header-footer-elementor
Direction: descendingAug 02, 2025
Elementor Header & Footer Builder # CVE-2025-8488
- CVE, Research URL
- Application
- Date
- Aug 02, 2025
- Research Description
- The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_hfe_compatibility_option_callback ()function in all versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the compatibility option setting.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Dec 24, 2024
Elementor Header & Footer Builder # CVE-2024-11230
- CVE, Research URL
- Application
- Date
- Dec 23, 2024
- Research Description
- The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘size’ parameter in all versions up to, and including, 1.6.46 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Nov 09, 2024
Elementor Header & Footer Builder # CVE-2024-10325
- CVE, Research URL
- Application
- Date
- Nov 08, 2024
- Research Description
- The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.6.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Oct 25, 2024
Elementor Header & Footer Builder # CVE-2024-10050
- CVE, Research URL
- Application
- Date
- Oct 24, 2024
- Research Description
- The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 1.6.43 via the hfe_template shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to view the contents of Draft, Private and Password-protected posts they do not own.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Jul 05, 2024
Elementor Header & Footer Builder # CVE-2024-33933
- CVE, Research URL
- Application
- Date
- Jul 22, 2024
- Research Description
- Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Brainstorm Force, Nikhil Chavan Elementor – Header, Footer & Blocks Template allows DOM-Based XSS.This issue affects Elementor – Header, Footer & Blocks Template: from n/a through 1.6.35.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Jun 15, 2024
Elementor Header & Footer Builder # CVE-2024-5757
- CVE, Research URL
- Application
- Date
- Jun 13, 2024
- Research Description
- The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url attribute within the plugin's Site Title widget in all versions up to, and including, 1.6.35 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Jun 06, 2024
Elementor Header & Footer Builder # CVE-2021-24256
- CVE, Research URL
- Application
- Date
- May 06, 2021
- Research Description
- The “Elementor – Header, Footer & Blocks Template” WordPress Plugin before 1.5.8 has two widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Elementor Header & Footer Builder # CVE-2024-1237
- CVE, Research URL
- Application
- Date
- Mar 13, 2024
- Research Description
- The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the flyout_layout attribute in all versions up to, and including, 1.6.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Elementor Header & Footer Builder # CVE-2024-4634
- CVE, Research URL
- Application
- Date
- May 16, 2024
- Research Description
- The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hfe_svg_mime_types’ function in versions up to, and including, 1.6.28 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Elementor Header & Footer Builder # CVE-2024-2619
- CVE, Research URL
- Application
- Date
- May 17, 2024
- Research Description
- The Elementor Header & Footer Builder for WordPress is vulnerable to HTML Injection in all versions up to, and including, 1.6.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject arbitrary HTML in pages that will be shown whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Elementor Header & Footer Builder # CVE-2024-2618
- CVE, Research URL
- Application
- Date
- May 24, 2024
- Research Description
- The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the size attribute in all versions up to, and including, 1.6.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable