Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-21
CVE-2024-3197 - The Plus Addons For Elementor Plugin
The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom attributes in the plugin's widgets in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
The Plus Addons For Elementor
CVE-2024-3197
Risk Score
Threat Entry
Updated 2025-01-28
CVE-2024-2210 - The Plus Addons For Elementor Plugin
The The Plus Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.1 via the Team Member Listing widget. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
The Plus Addons For Elementor
CVE-2024-2210
Risk Score
Threat Entry
Updated 2025-01-28
CVE-2024-2203 - The Plus Addons For Elementor Plugin
The The Plus Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.1 via the Clients widget. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
The Plus Addons For Elementor
CVE-2024-2203
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-1419 - The Plus Addons For Elementor Plugin
The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ attribute of the Header Meta Content widget in all versions up to, and including, 5.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
The Plus Addons For Elementor
CVE-2024-1419
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4331 - Plus Addons For Elementor Plugin
The Plus Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 4.1.9 (pro) and 2.0.6 (free). The plugin adds a registration form to the Elementor page builders functionality. As part of the registration form, users can choose which role to set as the default for users upon registration. This field is not hidden for lower-level users so any user with access to the Elementor page builder, such as contributors, can set the default role to administrator. Since contributors can not publish posts,…
PLUGIN
Plus Addons For Elementor
CVE-2021-4331
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4332 - Plus Addons For Elementor Plugin
The Plus Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in versions up to, and including 4.1.9 (pro) and 2.0.6 (free). The plugin has a feature to add an "Info Box" to an Elementor created page. This Info Box can include an SVG image for the box. Unfortunately, the plugin used file_get_contents with no verification that the file being supplied was an SVG file, so any user with access to the Elementor page builder, such as contributors, could read arbitrary files on the WordPress installation.
PLUGIN
Plus Addons For Elementor
CVE-2021-4332
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24949 - Plus Addons For Elementor Plugin
The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection
PLUGIN
Plus Addons For Elementor
CVE-2021-24949
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24948 - Plus Addons For Elementor Plugin
The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts
PLUGIN
Plus Addons For Elementor
CVE-2021-24948
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24358 - Plus Addons For Elementor Plugin
The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.10 did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue.
PLUGIN
Plus Addons For Elementor
CVE-2021-24358
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24351 - Plus Addons For Elementor Plugin
The theplus_more_post AJAX action of The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.12 did not properly sanitise some of its fields, leading to a reflected Cross-Site Scripting (exploitable on both unauthenticated and authenticated users)
PLUGIN
Plus Addons For Elementor
CVE-2021-24351
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24359 - Plus Addons For Elementor Plugin
The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (CVE-2021-24358) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover.
PLUGIN
Plus Addons For Elementor
CVE-2021-24359
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24175 - Plus Addons For Elementor Plugin
The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.
PLUGIN
Plus Addons For Elementor
CVE-2021-24175
Risk Score