Premium Addons For Elementor Leap13 Premium Addons For Elementor

  1. Vendors
  2. Leap13
  3. Premium Addons For Elementor

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Leap13 Premium Addons For Elementor.

By the Year

In 2026 there have been 1 vulnerability in Leap13 Premium Addons For Elementor with an average score of 5.4 out of ten. Last year, in 2025 Premium Addons For Elementor had 3 security vulnerabilities published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. Last year, the average CVE base score was greater by 1.37




Year Vulnerabilities Average Score
2026 1 5.40
2025 3 6.77
2024 29 5.84
2023 1 6.10
2022 0 0.00
2021 1 5.40

It may take a day or so for new Premium Addons For Elementor vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Leap13 Premium Addons For Elementor Security Vulnerabilities

Missing Auth in Premium Addons for Elementor <=4.11.63
CVE-2025-69300 5.4 - Medium - January 22, 2026

Missing Authorization vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Premium Addons for Elementor: from n/a through <= 4.11.63.

AuthZ

Leap13 Premium Addons for Elementor <=4.11.53: Sensitive Info Leak (Elementor Premium Addons)
CVE-2025-68494 7.5 - High - December 24, 2025

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Retrieve Embedded Sensitive Data.This issue affects Premium Addons for Elementor: from n/a through <= 4.11.53.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Premium Addons Elementor v4.10.69: Stored XSS via Mobile Menu linkURL
CVE-2024-11937 6.4 - Medium - July 04, 2025

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's linkURL in the Mobile Menu element in all versions up to, and including, 4.10.69 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Premium Addons for Elementor 4.11.8: Stored XSS via Countdown widget
CVE-2025-4774 6.4 - Medium - June 10, 2025

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-countdown attribute of Countdown widget in all versions up to, and including, 4.11.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Leap13 Premium Addons for Elementor: Missing Authorization Vulnerability
CVE-2024-56225 - December 31, 2024

Missing Authorization vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Premium Addons for Elementor: from n/a through <= 4.10.56.

AuthZ

Stored XSS in Premium Addons for Elementor Video Box v4.10.60
CVE-2024-10266 6.4 - Medium - October 29, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video Box widget in all versions up to, and including, 4.10.60 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

WordPress Premium Addons for Elementor <=4.5.1 Arbitrary Option Update
CVE-2021-4445 6.5 - Medium - October 16, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Arbitrary Option Updates in versions up to, and including, 4.5.1. This is due to missing capability and nonce checks in the pa_dismiss_admin_notice AJAX action. This makes it possible for authenticated subscriber+ attackers to change arbitrary options with a restricted value of 1 on vulnerable WordPress sites.

AuthZ

Stored XSS in Premium Addons Elementor 4.10.52 Media Grid (Contributor)
CVE-2024-8681 6.4 - Medium - September 27, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Media Grid widget in all versions up to, and including, 4.10.52 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Premium Addons Elementor WP <4.10.38: Cap Check Missing, AuthAttacker Delete Titles
CVE-2024-6824 4.3 - Medium - August 08, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'check_temp_validity' and 'update_template_title' functions in all versions up to, and including, 4.10.38. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary content and update post and page titles.

AuthZ

Leap13 Premium Addons for Elementor Stored XSS Vulnerability (<=4.10.34)
CVE-2024-37922 - July 20, 2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor.This issue affects Premium Addons for Elementor: from n/a through <= 4.10.34.

XSS

Premium Addons for Elementor XSS via Animated Text Widget (4.10.36)
CVE-2024-6495 6.4 - Medium - July 12, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Animated Text widget in all versions up to, and including, 4.10.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Premium Addons for Elementor ReDoS v4.10.35 via Posts
CVE-2024-6434 3.1 - Low - July 04, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Regular Expression Denial of Service (ReDoS) in all versions up to, and including, 4.10.35. This is due to processing user-supplied input as a regular expression. This makes it possible for authenticated attackers, with Author-level access and above, to create and query a malicious post title, resulting in slowing server resources.

Resource Exhaustion

Stored XSS in Premium Addons Elementor Countdown (4.10.35)
CVE-2024-6340 6.4 - Medium - July 03, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 4.10.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.10.36 and fully patched in version 4.10.37.

XSS

DOM XSS in Premium Addons for Elementor <=4.10.33 (Contributor+)
CVE-2024-5553 4.4 - Medium - June 12, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via several parameters in all versions up to, and including, 4.10.33 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses and edits an injected element, and subsequently clicks the element with the mouse scroll wheel.

XSS

CVE-2024-4379: WordPress Premium Addons Global Tooltip XSS (4.10.31)
CVE-2024-4379 5.4 - Medium - May 31, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Global Tooltip widget in all versions up to, and including, 4.10.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

PXE WordPress Plugin Stored XSS <4.10.32 (100% patched in 4.10.33)
CVE-2024-4376 6.4 - Medium - May 31, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Fancy Text widget in all versions up to, and including, 4.10.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. While 4.10.32 is patched, it is recommended to update to 4.10.33 because 4.10.32 caused a fatal error.

XSS

Premium Addons for Elementor <=4.10.31 get_template_content() Cap Check Bypass
CVE-2024-4205 4.3 - Medium - May 31, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_template_content() function in all versions up to, and including, 4.10.31. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve Elementor template data.

AuthZ

Stored XSS in Premium Addons for Elementor 4.10.30 widgets
CVE-2024-4378 6.4 - Medium - May 23, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's menu and shape widgets in all versions up to, and including, 4.10.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in Premium Addons for Elementor <=4.10.28 Post Ticker Widget
CVE-2024-3647 6.4 - Medium - May 02, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's post ticker widget in all versions up to, and including, 4.10.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the premium version of the plugin to be installed and activated in order to be exploited.

XSS

WordPress Plugin Premium Addons Pro v4.10.30 XSS via Maps Widget
CVE-2024-4203 5.4 - Medium - May 02, 2024

The Premium Addons Pro for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the maps widget in all versions up to, and including, 4.10.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Please note this only affects sites running the premium version of the plugin.

XSS

Premium Addons Elementor <4.10.28 XSS via subcontainer value (contrib+)
CVE-2024-3885 6.4 - Medium - May 02, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the subcontainer value parameter in all versions up to, and including, 4.10.28 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Leap13 Premium Addons for Elementor XSS < v4.10.25
CVE-2024-32791 - April 24, 2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor.This issue affects Premium Addons for Elementor: from n/a through <= 4.10.25.

XSS

Sensitive Info Exposure in Premium Addons for Elementor <4.10.22
CVE-2024-31278 - April 10, 2024

Insertion of Sensitive Information Into Sent Data vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor.This issue affects Premium Addons for Elementor: from n/a through <= 4.10.22.

Insertion of Sensitive Information Into Sent Data

Premium Addons for Elementor Plugin XSS via Countdown Widget v4.10.24
CVE-2024-2664 6.4 - Medium - April 10, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown Widget in all versions up to, and including, 4.10.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

DOM-BS XSS in Premium Addons for Elementor <=4.10.24 via Bullet List wdg
CVE-2024-2666 5.4 - Medium - April 10, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the plugin's Bullet List Widget in all versions up to, and including, 4.10.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and attempts to edit the content.

XSS

Stored XSS in Premium Addons for Elementor v4.10.27 (WordPress)
CVE-2024-2665 6.4 - Medium - April 10, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's button in all versions up to, and including, 4.10.27 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Premium Addons for Elementor Stored XSS via Wrapper Link Widget v4.10.16
CVE-2024-0376 6.4 - Medium - April 09, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Wrapper Link Widget in all versions up to, and including, 4.10.16 due to insufficient input sanitization and output escaping on user supplied URLs. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Leap13 Premium Addons for Elementor Stored XSS before 4.10.16
CVE-2024-29106 5.4 - Medium - March 19, 2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leap13 Premium Addons for Elementor allows Stored XSS.This issue affects Premium Addons for Elementor: from n/a through 4.10.16.

XSS

Stored XSS in Premium Addons PRO (4.10.23) WordPress Plugin
CVE-2024-2399 6.4 - Medium - March 15, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 4.10.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable with the premium version of the plugin is also installed.

XSS

Stored XSS in Premium Addons Elementor 4.10.21 via Banner URL (Auth)
CVE-2024-1680 6.4 - Medium - March 13, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Settings URL of the Banner, Team Members, and Image Scroll widgets in all versions up to, and including, 4.10.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Premium Addons for Elementor Stored XSS via Link Wrapper 4.10.17
CVE-2024-0326 6.4 - Medium - March 13, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Link Wrapper functionality in all versions up to, and including, 4.10.17 due to insufficient input sanitization and output escaping on user supplied links. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in Premium Addons for Elementor <=4.10.18, contributor auth
CVE-2024-1242 6.4 - Medium - February 29, 2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button onclick attribute in all versions up to, and including, 4.10.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in Leap13 Premium Addons for Elementor <=4.10.16
CVE-2024-24831 - February 10, 2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor.This issue affects Premium Addons for Elementor: from n/a through <= 4.10.16.

XSS

Unauth. Reflected XSS in Premium Addons PRO <= 2.8.24
CVE-2023-34012 6.1 - Medium - June 23, 2023

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Premium Addons for Elementor Premium Addons PRO plugin <= 2.8.24 versions.

XSS

The Premium Addons for Elementor WordPress Plugin before 4.2.8 has several widgets
CVE-2021-24257 5.4 - Medium - May 05, 2021

The Premium Addons for Elementor WordPress Plugin before 4.2.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.

XSS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Leap13 Premium Addons For Elementor or by Leap13? Click the Watch button to subscribe.

Leap13
Vendor

Leap13 Premium Addons For Elementor
Product

subscribe