Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-01
CVE-2026-6127 - Elementor Website Builder Plugin
The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _elementor_data meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the _elementor_data meta field with show_in_rest but omits a sanitize_callback, relying instead on a rest_pre_insert_post filter (sanitize_post_data function) that only sanitizes JSON-encoded request bodies. When a contributor sends a form-encoded PATCH request to the WordPress REST API, the json_decode() call on the raw body returns null, causing all sanitization…
PLUGIN
Elementor Website Builder
CVE-2026-6127
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-1206 - Elementor Website Builder Plugin
The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates as readable without verifying edit capabilities. This makes it possible for authenticated attackers, with contributor-level access and above, to read private or draft Elementor template content via the 'template_id' supplied to the 'get_template_data' action of the 'elementor_ajax' endpoint.
PLUGIN
Elementor Website Builder
CVE-2026-1206
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-0329 - Elementor Website Builder Plugin
The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role.
PLUGIN
Elementor Website Builder
CVE-2023-0329
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1329 - Elementor Website Builder Plugin
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
PLUGIN
Elementor Website Builder
CVE-2022-1329
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24891 - Elementor Website Builder Plugin
The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue.
PLUGIN
Elementor Website Builder
CVE-2021-24891
Risk Score