cleantalk
Vulnerabilities and Security Researches

Elementor Website Builder – More than Just a Page Builder, CVE-2025-11220

CVE, Research URL

CVE-2025-11220

Home page URL

Security reports for Elementor Website Builder – More than Just a Page Builder

Application

Elementor Website Builder – More than Just a Page Builder

Published on
Dec 16, 2025
Research Description
The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Text Path widget in all versions up to, and including, 3.33.3 due to insufficient neutralization of user-supplied input used to build SVG markup inside the widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 3.33.4.
Status
vulnerable
Previous vulnerability researches
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders (CVE-2024-39649) , Aug 07, 2024
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders (CVE-2024-7092) , Aug 13, 2024
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders (CVE-2026-23543) , Feb 27, 2026
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders (CVE-2026-1512) , Apr 14, 2026
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders (CVE-2024-9993) , Jun 15, 2025
New vulnerability
WP Security Safe (CVE-2023-33999) , Jun 13, 2026
YouTube Easy Embed (Wall/Rail) (CVE-2023-33999) , Jun 13, 2026
Customer Order History for WooCommerce (CVE-2023-33999) , Jun 13, 2026
Availability datepicker – Integrate with Contact Form 7 and Divi (CVE-2023-33999) , Jun 13, 2026
Premmerce Variation Swatches for WooCommerce (CVE-2023-33999) , Jun 13, 2026