Vulnerabilities and security researches forzita-site-library zita-site-library

Feb 27, 2026

CVE, Research URL: CVE-2026-25319
Home page URL: Security reports for Zita Elementor Site Library
Application: Zita Elementor Site Library
Date: Feb 19, 2026
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in wpzita Zita Elementor Site Library zita-site-library allows Cross Site Request Forgery.This issue affects Zita Elementor Site Library: from n/a through <= 1.6.6.
Affected versions: max 1.6.6.
Status: vulnerable

Oct 18, 2024

CVE, Research URL: CVE-2024-8921
Home page URL: Security reports for Zita Elementor Site Library
Application: Zita Elementor Site Library
Date: Oct 16, 2024
Research Description: The Zita Elementor Site Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Affected versions: max 1.6.4.
Status: vulnerable

Jul 02, 2024

CVE, Research URL: CVE-2024-37420
Home page URL: Security reports for Zita Elementor Site Library
Application: Zita Elementor Site Library
Date: Jul 09, 2024
Research Description: Unrestricted Upload of File with Dangerous Type vulnerability in WPZita Zita Elementor Site Library allows Upload a Web Shell to a Web Server.This issue affects Zita Elementor Site Library: from n/a through 1.6.1.
Affected versions: max 1.6.2.
Status: vulnerable

Jun 26, 2024

CVE, Research URL: CVE-2024-3249
Home page URL: Security reports for Zita Elementor Site Library
Application: Zita Elementor Site Library
Date: Jun 25, 2024
Research Description: The Zita Elementor Site Library plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_xml_data, xml_data_import, import_option_data, import_widgets, and import_customizer_settings functions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages, update certain options, including WooCommerce page titles and Elementor settings, import widgets, and update the plugin's customizer settings and the WordPress custom CSS. NOTE: This vulnerability was partially fixed in version 1.6.2.
Affected versions: max 1.6.3.
Status: vulnerable