Leap13 Premium Addons

Premium Addons for Elementor 4.11.53 CSRF allows arbitrary template creation
CVE-2025-14163 4.3 - Medium - December 23, 2025

The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link.

Session Riding

Premium Addons for Elementor <4.11.53 Unauth Data Access via get_template_content
CVE-2025-14155 5.3 - Medium - December 23, 2025

The Premium Addons for Elementor Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates.

AuthZ

Premium Addons Elementor v4.10.69: Stored XSS via Mobile Menu linkURL
CVE-2024-11937 6.4 - Medium - July 04, 2025

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's linkURL in the Mobile Menu element in all versions up to, and including, 4.10.69 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Premium Addons for Elementor 4.11.8: Stored XSS via Countdown widget
CVE-2025-4774 6.4 - Medium - June 10, 2025

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-countdown attribute of Countdown widget in all versions up to, and including, 4.11.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in Premium Addons for Elementor Video Box v4.10.60
CVE-2024-10266 6.4 - Medium - October 29, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video Box widget in all versions up to, and including, 4.10.60 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

WordPress Premium Addons for Elementor <=4.5.1 Arbitrary Option Update
CVE-2021-4445 6.5 - Medium - October 16, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Arbitrary Option Updates in versions up to, and including, 4.5.1. This is due to missing capability and nonce checks in the pa_dismiss_admin_notice AJAX action. This makes it possible for authenticated subscriber+ attackers to change arbitrary options with a restricted value of 1 on vulnerable WordPress sites.

AuthZ

Stored XSS in Premium Addons Elementor 4.10.52 Media Grid (Contributor)
CVE-2024-8681 6.4 - Medium - September 27, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Media Grid widget in all versions up to, and including, 4.10.52 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Premium Addons Elementor WP <4.10.38: Cap Check Missing, AuthAttacker Delete Titles
CVE-2024-6824 4.3 - Medium - August 08, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'check_temp_validity' and 'update_template_title' functions in all versions up to, and including, 4.10.38. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary content and update post and page titles.

AuthZ

Premium Addons for Elementor XSS via Animated Text Widget (4.10.36)
CVE-2024-6495 6.4 - Medium - July 12, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Animated Text widget in all versions up to, and including, 4.10.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Premium Addons for Elementor ReDoS v4.10.35 via Posts
CVE-2024-6434 3.1 - Low - July 04, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Regular Expression Denial of Service (ReDoS) in all versions up to, and including, 4.10.35. This is due to processing user-supplied input as a regular expression. This makes it possible for authenticated attackers, with Author-level access and above, to create and query a malicious post title, resulting in slowing server resources.

Resource Exhaustion

Premium Addons PRO Missing Auth Vulnerability (up to v2.9.0)
CVE-2023-37869 8.8 - High - June 19, 2024

Missing Authorization vulnerability in Premium Addons Premium Addons PRO.This issue affects Premium Addons PRO: from n/a through 2.9.0.

AuthZ

DOM XSS in Premium Addons for Elementor <=4.10.33 (Contributor+)
CVE-2024-5553 4.4 - Medium - June 12, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via several parameters in all versions up to, and including, 4.10.33 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses and edits an injected element, and subsequently clicks the element with the mouse scroll wheel.

XSS

CVE-2024-4379: WordPress Premium Addons Global Tooltip XSS (4.10.31)
CVE-2024-4379 5.4 - Medium - May 31, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Global Tooltip widget in all versions up to, and including, 4.10.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

PXE WordPress Plugin Stored XSS <4.10.32 (100% patched in 4.10.33)
CVE-2024-4376 6.4 - Medium - May 31, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Fancy Text widget in all versions up to, and including, 4.10.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. While 4.10.32 is patched, it is recommended to update to 4.10.33 because 4.10.32 caused a fatal error.

XSS

Stored XSS in Premium Addons for Elementor 4.10.30 widgets
CVE-2024-4378 6.4 - Medium - May 23, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's menu and shape widgets in all versions up to, and including, 4.10.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

WordPress Plugin Premium Addons Pro v4.10.30 XSS via Maps Widget
CVE-2024-4203 5.4 - Medium - May 02, 2024

The Premium Addons Pro for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the maps widget in all versions up to, and including, 4.10.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Please note this only affects sites running the premium version of the plugin.

XSS

DOM-BS XSS in Premium Addons for Elementor <=4.10.24 via Bullet List wdg
CVE-2024-2666 5.4 - Medium - April 10, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the plugin's Bullet List Widget in all versions up to, and including, 4.10.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and attempts to edit the content.

XSS

Stored XSS in Premium Addons for Elementor v4.10.27 (WordPress)
CVE-2024-2665 6.4 - Medium - April 10, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's button in all versions up to, and including, 4.10.27 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Premium Addons for Elementor Plugin XSS via Countdown Widget v4.10.24
CVE-2024-2664 6.4 - Medium - April 10, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown Widget in all versions up to, and including, 4.10.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Premium Addons for Elementor Stored XSS via Wrapper Link Widget v4.10.16
CVE-2024-0376 6.4 - Medium - April 09, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Wrapper Link Widget in all versions up to, and including, 4.10.16 due to insufficient input sanitization and output escaping on user supplied URLs. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in Premium Addons PRO (4.10.23) WordPress Plugin
CVE-2024-2399 6.4 - Medium - March 15, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 4.10.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable with the premium version of the plugin is also installed.

XSS

Stored XSS in Premium Addons PRO v<=2.9.12 Global Badge module
CVE-2024-2237 6.4 - Medium - March 13, 2024

The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Global Badge module in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

XSS in Premium Addons PRO (2.9.12) WP Plugin Insufficient Sanitization
CVE-2024-2239 6.4 - Medium - March 13, 2024

The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Premium Magic Scroll module in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Premium Addons PRO XSS via Custom Mouse Cursor (2.9.12)
CVE-2024-2238 6.4 - Medium - March 13, 2024

The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Mouse Cursor module in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in Premium Addons PRO <=2.9.12 via IHover link
CVE-2024-1996 6.4 - Medium - March 13, 2024

The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's IHover widget link in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in Premium Addons Elementor 4.10.21 via Banner URL (Auth)
CVE-2024-1680 6.4 - Medium - March 13, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Settings URL of the Banner, Team Members, and Image Scroll widgets in all versions up to, and including, 4.10.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Premium Addons PRO XSS via navigation_dots in Multi Scroll Widget (2.9.12)
CVE-2024-2000 6.4 - Medium - March 13, 2024

The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'navigation_dots' parameter of the Multi Scroll Widget in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in Premium Addons PRO <=2.9.12 via premium_fbchat_app_id
CVE-2024-1997 6.4 - Medium - March 13, 2024

The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_fbchat_app_id' parameter of the Messenger Chat Widget in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Premium Addons for Elementor Stored XSS via Link Wrapper 4.10.17
CVE-2024-0326 6.4 - Medium - March 13, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Link Wrapper functionality in all versions up to, and including, 4.10.17 due to insufficient input sanitization and output escaping on user supplied links. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in Premium Addons for Elementor <=4.10.18, contributor auth
CVE-2024-1242 6.4 - Medium - February 29, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button onclick attribute in all versions up to, and including, 4.10.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Sensitive Info Exposure in Premium Addons PRO <= 2.9.0
CVE-2023-37868 6.5 - Medium - November 30, 2023

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Leap13 Premium Addons PRO.This issue affects Premium Addons PRO: from n/a through 2.9.0.