WordPress Plugin Vulnerabilities

Elementor Website Builder

2022-04-13

Elementor 3.6.0-3.6.2 - Subscriber+ Arbitrary File Upload

Fixed in version 3.6.3

2021-03-24

Elementor < 3.4.8 - DOM Cross-Site-Scripting

Fixed in version 3.4.8

2021-03-17

Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Image Box Widget

Fixed in version 3.1.4

2021-03-17

Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Icon Box Widget

Fixed in version 3.1.4

2021-03-17

Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Column Element

Fixed in version 3.1.4

2021-03-17

Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Heading Widget

Fixed in version 3.1.4

2021-03-17

Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Divider Widget

Fixed in version 3.1.4

2021-03-17

Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Accordion Widget

Fixed in version 3.1.4

2021-01-06

Elementor < 3.0.14 - SVG Upload Allowed by Default

Fixed in version 3.0.14

2020-07-21

Elementor < 2.9.14 - Authenticated Stored Cross-Site Scripting

Fixed in version 2.9.14

2020-06-05

Elementor Page Builder < 2.9.10 - Authenticated Stored XSS

Fixed in version 2.9.10

2020-05-06

Elementor < 2.9.8 - SVG Sanitizer Bypass leading to Authenticated Stored XSS

Fixed in version 2.9.8

2020-03-31

Elementor Page Builder < 2.9.6 - Authenticated Safe Mode Privilege Escalation

Fixed in version 2.9.6

2020-01-29

Elementor Page Builder < 2.8.5 - Authenticated Reflected XSS

Fixed in version 2.8.5

2020-01-29

Elementor Page Builder < 2.7.6 - Authenticated Stored XSS

Fixed in version 2.7.7

2020-01-19

Elementor Page Builder < 2.8.4 - Cross-Site Scripting (XSS)

Fixed in version 2.8.4

2020-01-14

Elementor < 2.7.5 - Authenticated Arbitrary File Upload

Fixed in version 2.7.5

2017-11-27

Elementor Page Builder <= 1.7.12 - Authenticated Unrestricted Editing

Fixed in version 1.8.0