Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Website_builder
(Elementor)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 20 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-07-09 | CVE-2024-37437 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Elementor Elementor Website Builder allows Cross-Site Scripting (XSS), Stored XSS.This issue affects Elementor Website Builder: from n/a through 3.22.1. | Website_builder | 5.4 | ||
| 2024-06-11 | CVE-2023-33922 | Missing Authorization vulnerability in Elementor Elementor Website Builder.This issue affects Elementor Website Builder: from n/a through 3.13.2. | Website_builder | 4.3 | ||
| 2023-08-14 | CVE-2022-4953 | The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs. | Website_builder | 6.1 | ||
| 2023-11-30 | CVE-2023-47505 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor.Com Elementor allows Cross-Site Scripting (XSS).This issue affects Elementor: from n/a through 3.16.4. | Website_builder | 5.4 | ||
| 2023-05-30 | CVE-2023-0329 | The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role. | Website_builder | 7.2 | ||
| 2021-04-05 | CVE-2021-24201 | In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘html_tag’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed... | Website_builder | 5.4 | ||
| 2023-06-07 | CVE-2020-36703 | The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG image uploads in versions up to, and including 2.9.7 This makes it possible for authenticated attackers with the upload_files capability to inject arbitrary web scripts in pages that will execute whenever a user accesses the page with the stored web scripts. | Website_builder | 5.4 | ||
| 2020-01-22 | CVE-2020-7109 | The Elementor Page Builder plugin before 2.8.4 for WordPress does not sanitize data during creation of a new template. | Website_builder | 9.8 | ||
| 2020-01-28 | CVE-2020-8426 | The Elementor plugin before 2.8.5 for WordPress suffers from a reflected XSS vulnerability on the elementor-system-info page. These can be exploited by targeting an authenticated user. | Website_builder | 5.4 | ||
| 2020-08-21 | CVE-2020-20634 | Elementor 2.9.5 and below WordPress plugin allows authenticated users to activate its safe mode feature. This can be exploited to disable all security plugins on the blog. | Website_builder | 6.5 |