Vulnerabilities and security researches forwidgetkit-for-elementor widgetkit-for-elementor

Mar 09, 2025

CVE, Research URL: CVE-2024-10321
Home page URL: Security reports for All-in-One Addons for Elementor – WidgetKit
Application: All-in-One Addons for Elementor – WidgetKit
Date: Mar 08, 2025
Research Description: The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.4 in elements/advanced-tab/template/view.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
Affected versions: Min -, max -.
Status: vulnerable

Jul 02, 2024

CVE, Research URL: CVE-2024-37428
Home page URL: Security reports for All-in-One Addons for Elementor – WidgetKit
Application: All-in-One Addons for Elementor – WidgetKit
Date: Jul 22, 2024
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themesgrove WidgetKit allows Stored XSS.This issue affects WidgetKit: from n/a through 2.5.0.
Affected versions: Min -, max -.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2021-24267
Home page URL: Security reports for All-in-One Addons for Elementor – WidgetKit
Application: All-in-One Addons for Elementor – WidgetKit
Date: May 06, 2021
Research Description: The “All-in-One Addons for Elementor – WidgetKit” WordPress Plugin before 2.3.10 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-2137
Home page URL: Security reports for All-in-One Addons for Elementor – WidgetKit
Application: All-in-One Addons for Elementor – WidgetKit
Date: Apr 12, 2024
Research Description: The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple pricing widgets (e.g. Pricing Single, Pricing Icon, Pricing Tab) in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-4256
Home page URL: Security reports for All-in-One Addons for Elementor – WidgetKit
Application: All-in-One Addons for Elementor – WidgetKit
Date: Jan 03, 2023
Research Description: The All-in-One Addons for Elementor WordPress plugin before 2.4.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-33908
Home page URL: Security reports for All-in-One Addons for Elementor – WidgetKit
Application: All-in-One Addons for Elementor – WidgetKit
Date: May 07, 2024
Research Description: Missing Authorization vulnerability in Themesgrove WidgetKit.This issue affects WidgetKit: from n/a through 2.5.0.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-34548
Home page URL: Security reports for All-in-One Addons for Elementor – WidgetKit
Application: All-in-One Addons for Elementor – WidgetKit
Date: May 08, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesgrove WidgetKit allows Stored XSS.This issue affects WidgetKit: from n/a through 2.4.8.
Affected versions: Min -, max -.
Status: vulnerable