cbcvebase.

Elementor Pro vulnerabilities

9 known vulnerabilities affecting elementor/elementor_pro.

Total CVEs
9
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
HIGH2MEDIUM7

Vulnerabilities

Page 1 of 1
CVE-2023-3124P1HIGHCVSS 8.8ExploitedPoCfixed in 3.11.72023-06-07
CVE-2023-3124 [HIGH] CWE-862 CVE-2023-3124: The Elementor Pro plugin for WordPress is vulnerable to unauthorized data modification due to a miss The Elementor Pro plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the update_page_option function in versions up to, and including, 3.11.6. This makes it possible for authenticated attackers with subscriber-level capabilities to update arbitrary site options, which can lead to privilege escalatio
nvd
CVE-2020-26596P3HIGHCVSS 8.8≤ 3.0.52020-10-07
CVE-2020-26596 [HIGH] CWE-269 CVE-2020-26596: The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authen The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role.
nvd
CVE-2024-23523P4MEDIUMCVSS 6.5≥ n/a, ≤ 3.19.22024-03-16
CVE-2024-23523 [MEDIUM] CWE-200 CVE-2024-23523: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Elementor Pro.This issue Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Elementor Pro.This issue affects Elementor Pro: from n/a through 3.19.2.
nvd
CVE-2023-35050P4MEDIUMCVSS 5.4≥ n/a, ≤ 3.13.02024-06-19
CVE-2023-35050 [MEDIUM] CWE-862 CVE-2023-35050: Missing Authorization vulnerability in Elementor Elementor Pro.This issue affects Elementor Pro: fro Missing Authorization vulnerability in Elementor Elementor Pro.This issue affects Elementor Pro: from n/a through 3.13.0.
nvd
CVE-2024-35656P4MEDIUMCVSS 6.1fixed in 3.21.3≥ n/a, ≤ 3.21.22024-07-22
CVE-2024-35656 [MEDIUM] CWE-79 CVE-2024-35656: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerab Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Elementor Elementor Pro allows Reflected XSS.This issue affects Elementor Pro: from n/a through 3.21.2.
nvd
CVE-2024-2121P4MEDIUMCVSS 5.4fixed in 3.20.22024-03-27
CVE-2024-2121 [MEDIUM] CWE-79 CVE-2024-2121: The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Media Carousel widget in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above
nvd
CVE-2024-2781P4MEDIUMCVSS 5.4fixed in 3.20.22024-03-27
CVE-2024-2781 [MEDIUM] CWE-79 CVE-2024-2781: The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the video_html_tag attribute in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web script
nvd
CVE-2024-1521P4MEDIUMCVSS 5.4fixed in 3.20.22024-03-27
CVE-2024-1521 [MEDIUM] CWE-79 CVE-2024-1521: The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an SVGZ file uploaded via the Form widget in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a
nvd
CVE-2024-1364P4MEDIUMCVSS 5.4fixed in 3.20.22024-03-27
CVE-2024-1364 [MEDIUM] CWE-79 CVE-2024-1364: The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget's custom_id in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to
nvd
Elementor Pro vulnerabilities | cvebase