Elementor Pro
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Elementor Pro.
By the Year
In 2026 there have been 0 vulnerabilities in Elementor Pro. Last year, in 2025 Elementor Pro had 1 security vulnerability published. Right now, Elementor Pro is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 5.40 |
| 2024 | 8 | 5.52 |
| 2023 | 1 | 8.80 |
It may take a day or so for new Elementor Pro vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Elementor Pro Security Vulnerabilities
Elementor WP Builder <3.29.0 Stored XSS via button_text
CVE-2025-3076
5.4 - Medium
- June 10, 2025
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button_text parameter in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
Elementor Pro 3.21.2 Reflected XSS via Improper Neutralization of Input
CVE-2024-35656
6.1 - Medium
- July 22, 2024
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Elementor Elementor Pro allows Reflected XSS.This issue affects Elementor Pro: from n/a through 3.21.2.
XSS
Missing Auth Vulnerability in Elementor Pro <=3.13.0
CVE-2023-35050
- June 19, 2024
Missing Authorization vulnerability in Elementor Elementor Pro.This issue affects Elementor Pro: from n/a through 3.13.0.
AuthZ
Elementor Pro WP Plugin 3.21.0 Stored XSS via Params
CVE-2024-4107
5.4 - Medium
- May 14, 2024
The Elementor Website Builder More than Just a Page Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in versions up to, and including, 3.21.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
WordPress Elementor Pro 3.20.1: Stored XSS via video_html_tag
CVE-2024-2781
5.4 - Medium
- March 27, 2024
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the video_html_tag attribute in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
Elementor Pro <=3.20.1 Media Carousel XSS (Stored)
CVE-2024-2121
5.4 - Medium
- March 27, 2024
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Media Carousel widget in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
Elementor Pro WP Pro v<=3.20.1 Stored XSS via SVGZ Upload on NGINX
CVE-2024-1521
5.4 - Medium
- March 27, 2024
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an SVGZ file uploaded via the Form widget in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability is only exploitable on web servers running NGINX. It is not exploitable on web servers running Apache HTTP Server.
XSS
Elementor Pro <=3.20.1 Stored XSS via widget custom_id
CVE-2024-1364
5.4 - Medium
- March 27, 2024
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget's custom_id in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
Elementor Pro 3.19.2 Sensitive Info Exposure to Unauthorized Actor
CVE-2024-23523
- March 16, 2024
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Elementor Pro.This issue affects Elementor Pro: from n/a through 3.19.2.
Information Disclosure
Data mod in Elementor Pro 3.11.6 update_page_option leads to priv esc
CVE-2023-3124
8.8 - High
- June 07, 2023
The Elementor Pro plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the update_page_option function in versions up to, and including, 3.11.6. This makes it possible for authenticated attackers with subscriber-level capabilities to update arbitrary site options, which can lead to privilege escalation.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Elementor Pro or by Elementor? Click the Watch button to subscribe.
