Elementor Page Builder < 2.8.5 – Authenticated Reflected XSS | CVE 2020-8426

Affects Plugins

elementor

Fixed in 2.8.5

References

CVE

CVE-2020-8426

URL

https://blog.impenetrable.tech/xss-in-wordpress-elementor-plugin

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

5.4 (medium)

Miscellaneous

Verified

No

WPVDB ID

e1422824-adba-4d7c-a7f3-c0a6b3ab0232

Timeline

Publicly Published

2020-01-29 (about 6 years ago)

Added

2020-01-29 (about 6 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2025-01-14

Title

SetMore Theme – Custom Post Types <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-06-23

Title

WPCRM - CRM for Contact form CF7 & WooCommerce <= 3.2.0 - Reflected Cross-Site Scripting

Published

2025-04-22

Title

Event post < 5.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-09-30

Title

Easy WordPress Subscribe – Optin Hound <= 1.4.3 - Reflected Cross-Site Scripting via add_query_arg Parameter

Published

2014-04-25

Title

Import Legacy Media <= 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)