Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-19
CVE-2026-25416 - Elementor Plugin
Missing Authorization vulnerability in blazethemes News Kit Elementor Addons news-kit-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Kit Elementor Addons: from n/a through
PLUGIN
Elementor
CVE-2026-25416
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2026-25386 - Elementor Plugin
Missing Authorization vulnerability in Elementor Ally pojo-accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ally: from n/a through
PLUGIN
Elementor
CVE-2026-25386
Risk Score
Threat Entry
Updated 2026-02-05
CVE-2026-25028 - Elementor Plugin
Missing Authorization vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ElementInvader Addons for Elementor: from n/a through
PLUGIN
Elementor
CVE-2026-25028
Risk Score
Threat Entry
Updated 2026-02-03
CVE-2026-24958 - Elementor Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through
PLUGIN
Elementor
CVE-2026-24958
Risk Score
Threat Entry
Updated 2026-02-03
CVE-2026-24947 - Elementor Plugin
Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LA-Studio Element Kit for Elementor: from n/a through < 1.5.6.3.
PLUGIN
Elementor
CVE-2026-24947
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24605 - Elementor Plugin
Missing Authorization vulnerability in pencilwp X Addons for Elementor x-addons-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects X Addons for Elementor: from n/a through
PLUGIN
Elementor
CVE-2026-24605
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24390 - Elementor Plugin
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Kentha Elementor Widgets kentha-elementor allows PHP Local File Inclusion.This issue affects Kentha Elementor Widgets: from n/a through < 3.1.
PLUGIN
Elementor
CVE-2026-24390
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24386 - Elementor Plugin
Missing Authorization vulnerability in Element Invader Element Invader – Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Element Invader – Template Kits for Elementor: from n/a through
PLUGIN
Elementor
CVE-2026-24386
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-22468 - Elementor Plugin
Missing Authorization vulnerability in AbsolutePlugins Absolute Addons For Elementor absolute-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Absolute Addons For Elementor: from n/a through
PLUGIN
Elementor
CVE-2026-22468
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13393 - Elementor Plugin
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the fifu_input_url parameter in the FIFU Elementor widget granted…
PLUGIN
Elementor
CVE-2025-13393
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-22518 - Elementor Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor allows DOM-Based XSS.This issue affects X Addons for Elementor: from n/a through 1.0.23.
PLUGIN
Elementor
CVE-2026-22518
Risk Score
Threat Entry
Updated 2025-12-16
CVE-2025-11220 - Elementor Plugin
The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Text Path widget in all versions up to, and including, 3.33.3 due to insufficient neutralization of user-supplied input used to build SVG markup inside the widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementor
CVE-2025-11220
Risk Score
Threat Entry
Updated 2025-11-26
CVE-2025-12493 - Elementor Plugin
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.2.5 via the 'load_template' function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded…
PLUGIN
Elementor
CVE-2025-12493
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-8081 - Elementor Plugin
The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Elementor
CVE-2025-8081
Risk Score
Threat Entry
Updated 2025-07-29
CVE-2025-4566 - Elementor Plugin
The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-text DOM element attribute in Text Path widget in all versions up to, and including, 3.30.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This attack affects only Chrome/Edge browsers
PLUGIN
Elementor
CVE-2025-4566
Risk Score
Threat Entry
Updated 2025-11-26
CVE-2025-3775 - Elementor Plugin
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.2 via the woolentor_template_proxy function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application, and can be used to query and modify information from internal services.
PLUGIN
Elementor
CVE-2025-3775
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-1512 - Elementor Plugin
The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Cursor Extension in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementor
CVE-2025-1512
Risk Score
Threat Entry
Updated 2025-03-24
CVE-2025-1527 - Elementor Plugin
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to a Stored DOM-Based Cross-Site Scripting via the plugin's Flash Sale Countdown module in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementor
CVE-2025-1527
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13694 - Elementor Plugin
The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to extract data from wishlists that they should not have access to.
PLUGIN
Elementor
CVE-2024-13694
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-12043 - Elementor Plugin
The Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'social_link_title' parameter of the 'blog' widget in all versions up to, and including, 3.16.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementor
CVE-2024-12043
Risk Score