Vulnerabilities and security researches forthe-plus-addons-for-elementor-page-builder the-plus-addons-for-elementor-page-builder

Direction: ascending

Jun 07, 2024

The Plus Addons for Elementor # CVE-2024-3199

CVE, Research URL: CVE-2024-3199
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: May 02, 2024
Research Description: The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

The Plus Addons for Elementor # CVE-2021-4331

CVE, Research URL: CVE-2021-4331
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Mar 07, 2023
Research Description: The Plus Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 4.1.9 (pro) and 2.0.6 (free). The plugin adds a registration form to the Elementor page builders functionality. As part of the registration form, users can choose which role to set as the default for users upon registration. This field is not hidden for lower-level users so any user with access to the Elementor page builder, such as contributors, can set the default role to administrator. Since contributors can not publish posts, only author+ users can elevate privileges without interaction via a site administrator (to approve a post).
Affected versions: Min -, max -.
Status: vulnerable

The Plus Addons for Elementor # CVE-2024-1419

CVE, Research URL: CVE-2024-1419
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Mar 07, 2024
Research Description: The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ attribute of the Header Meta Content widget in all versions up to, and including, 5.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

The Plus Addons for Elementor # CVE-2024-3197

CVE, Research URL: CVE-2024-3197
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: May 02, 2024
Research Description: The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom attributes in the plugin's widgets in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

The Plus Addons for Elementor # CVE-2024-4485

CVE, Research URL: CVE-2024-4485
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: May 24, 2024
Research Description: The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_custom_attributes’ parameter in versions up to, and including, 5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

The Plus Addons for Elementor # CVE-2024-2210

CVE, Research URL: CVE-2024-2210
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Mar 27, 2024
Research Description: The The Plus Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.1 via the Team Member Listing widget. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected versions: Min -, max -.
Status: vulnerable

The Plus Addons for Elementor # CVE-2024-2203

CVE, Research URL: CVE-2024-2203
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Mar 27, 2024
Research Description: The The Plus Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.1 via the Clients widget. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected versions: Min -, max -.
Status: vulnerable

The Plus Addons for Elementor # CVE-2024-2785

CVE, Research URL: CVE-2024-2785
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: May 14, 2024
Research Description: The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Age Gate widget in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

The Plus Addons for Elementor # CVE-2024-4484

CVE, Research URL: CVE-2024-4484
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: May 24, 2024
Research Description: The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘xai_username’ parameter in versions up to, and including, 5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

The Plus Addons for Elementor # CVE-2021-24266

CVE, Research URL: CVE-2021-24266
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: May 06, 2021
Research Description: The “The Plus Addons for Elementor Page Builder Lite” WordPress Plugin before 2.0.6 has four widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
Affected versions: Min -, max -.
Status: vulnerable

The Plus Addons for Elementor # CVE-2021-4332

CVE, Research URL: CVE-2021-4332
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Mar 07, 2023
Research Description: The Plus Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in versions up to, and including 4.1.9 (pro) and 2.0.6 (free). The plugin has a feature to add an "Info Box" to an Elementor created page. This Info Box can include an SVG image for the box. Unfortunately, the plugin used file_get_contents with no verification that the file being supplied was an SVG file, so any user with access to the Elementor page builder, such as contributors, could read arbitrary files on the WordPress installation.
Affected versions: Min -, max -.
Status: vulnerable

The Plus Addons for Elementor # CVE-2024-3718

CVE, Research URL: CVE-2024-3718
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: May 24, 2024
Research Description: The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's widgets all versions up to, and including, 5.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

The Plus Addons for Elementor # CVE-2024-34373

CVE, Research URL: CVE-2024-34373
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: May 07, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows Stored XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.4.2.
Affected versions: Min -, max -.
Status: vulnerable

The Plus Addons for Elementor # CVE-2024-0445

CVE, Research URL: CVE-2024-0445
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: May 14, 2024
Research Description: The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's element attributes in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-34373 is likely a duplicate of this issue.
Affected versions: Min -, max -.
Status: vulnerable

The Plus Addons for Elementor # CVE-2024-2784

CVE, Research URL: CVE-2024-2784
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: May 24, 2024
Research Description: The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Hover Card widget in all versions up to, and including, 5.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Jun 10, 2024

The Plus Addons for Elementor # CVE-2024-35709

CVE, Research URL: CVE-2024-35709
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Jun 08, 2024
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows Stored XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.5.4.
Affected versions: Min -, max -.
Status: vulnerable

The Plus Addons for Elementor # CVE-2024-23511

CVE, Research URL: CVE-2024-23511
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: -
Research Description: The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Jun 29, 2024

The Plus Addons for Elementor # CVE-2024-4983

CVE, Research URL: CVE-2024-4983
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Jun 27, 2024
Research Description: The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘video_color’ parameter in all versions up to, and including, 5.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Jul 04, 2024

The Plus Addons for Elementor # CVE-2024-4482

CVE, Research URL: CVE-2024-4482
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Jul 03, 2024
Research Description: The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Countdown' widget in all versions up to, and including, 5.6.1 due to insufficient input sanitization and output escaping on user supplied 'text_days' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Aug 20, 2024

The Plus Addons for Elementor # CVE-2024-6575

CVE, Research URL: CVE-2024-6575
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Aug 20, 2024
Research Description: The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘res_width_value’ parameter within the plugin's tp_page_scroll widget in all versions up to, and including, 5.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

The Plus Addons for Elementor # CVE-2024-5763

CVE, Research URL: CVE-2024-5763
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Aug 20, 2024
Research Description: The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the video_date attribute within the plugin's Video widget in all versions up to, and including, 5.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Aug 22, 2024

The Plus Addons for Elementor # CVE-2024-5583

CVE, Research URL: CVE-2024-5583
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Aug 22, 2024
Research Description: The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the carousel_direction parameter of testimonials widget in all versions up to, and including, 5.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Aug 29, 2024

The Plus Addons for Elementor # CVE-2024-43932

CVE, Research URL: CVE-2024-43932
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Nov 01, 2024
Research Description: Missing Authorization vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.6.2.
Affected versions: Min -, max -.
Status: vulnerable

Aug 31, 2024

The Plus Addons for Elementor # CVE-2024-43977

CVE, Research URL: CVE-2024-43977
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Sep 18, 2024
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows Stored XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.6.2.
Affected versions: Min -, max -.
Status: vulnerable

Oct 12, 2024

The Plus Addons for Elementor # CVE-2024-8913

CVE, Research URL: CVE-2024-8913
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Oct 11, 2024
Research Description: The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.6.11 via the render function in modules/widgets/tp_accordion.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
Affected versions: Min -, max -.
Status: vulnerable

Nov 20, 2024

The Plus Addons for Elementor # CVE-2024-10365

CVE, Research URL: CVE-2024-10365
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Nov 20, 2024
Research Description: The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.3 via the render function in modules/widgets/tp_carousel_anything.php, modules/widgets/tp_page_scroll.php, and other widgets. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
Affected versions: Min -, max -.
Status: vulnerable

Dec 08, 2024

The Plus Addons for Elementor # CVE-2024-53823

CVE, Research URL: CVE-2024-53823
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Dec 06, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows DOM-Based XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.6.14.
Affected versions: Min -, max -.
Status: vulnerable

Feb 04, 2025

The Plus Addons for Elementor # CVE-2024-11829

CVE, Research URL: CVE-2024-11829
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Feb 01, 2025
Research Description: The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Widget's searchable_label parameter in all versions up to, and including, 6.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Mar 09, 2025

The Plus Addons for Elementor # CVE-2025-1287

CVE, Research URL: CVE-2025-1287
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Mar 08, 2025
Research Description: The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown, Syntax Highlighter, and Page Scroll widgets in all versions up to, and including, 6.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Jun 06, 2025

The Plus Addons for Elementor # CVE-2025-49076

CVE, Research URL: CVE-2025-49076
Home page URL: Security reports for The Plus Addons for Elementor
Application: The Plus Addons for Elementor
Date: Jun 06, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH Innovations The Plus Addons for Elementor Page Builder Lite allows Stored XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 6.2.7.
Affected versions: Min -, max -.
Status: vulnerable