cleantalk
Vulnerabilities and Security Researches

Elementor Website Builder – More than Just a Page Builder, CVE-2025-3075

CVE, Research URL

CVE-2025-3075

Home page URL

Security reports for Elementor Website Builder – More than Just a Page Builder

Application

Elementor Website Builder – More than Just a Page Builder

Published on
Jul 29, 2025
Research Description
The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'elementor-element' shortcode in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts sites with 'Element Caching' enabled.
Affected versions
Min -, max 3.29.1.
Status
vulnerable
Previous vulnerability researches
Hello Elementor (CVE-2024-31289) , Jun 10, 2024
Envo's Elementor Templates & Widgets for WooCommerce (CVE-2024-43292) , Aug 20, 2024
Envo's Elementor Templates & Widgets for WooCommerce (CVE-2024-0766) , Jun 10, 2024
Envo's Elementor Templates & Widgets for WooCommerce (CVE-2024-35167) , Jun 10, 2024
Envo's Elementor Templates & Widgets for WooCommerce (CVE-2024-50447) , Oct 27, 2024
New vulnerability
Thank You Page Customizer for WooCommerce – Increase Your Sales (CVE-2025-30993) , Aug 15, 2025
GMap Generator (CVE-2025-8568) , Aug 14, 2025
GiveWP – Donation Plugin and Fundraising Platform (CVE-2025-47444) , Aug 14, 2025
Easy Form Builder (CVE-2025-54678) , Aug 14, 2025
WooCommerce Affiliate Plugin – Coupon Affiliates (CVE-2025-54025) , Aug 14, 2025