Posimyth The Plus Addons For Elementor

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Posimyth The Plus Addons For Elementor.

By the Year

In 2026 there have been 0 vulnerabilities in Posimyth The Plus Addons For Elementor. Last year, in 2025 The Plus Addons For Elementor had 2 security vulnerabilities published. Right now, The Plus Addons For Elementor is on track to have less security vulnerabilities in 2026 than it did last year.

Year	Vulnerabilities	Average Score
2026	0	0.00
2025	2	6.40
2024	27	6.41
2023	2	7.65
2022	2	8.65
2021	4	6.83

It may take a day or so for new The Plus Addons For Elementor vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Posimyth The Plus Addons For Elementor Security Vulnerabilities

WordPress Plus Addons for Elementor <=6.2.2 XSS via components
CVE-2025-1287 6.4 - Medium - March 08, 2025

The The Plus Addons for Elementor Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown, Syntax Highlighter, and Page Scroll widgets in all versions up to, and including, 6.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in The Plus Addons for Elementor <=6.1.8 via Table Widget
CVE-2024-11829 6.4 - Medium - February 01, 2025

The The Plus Addons for Elementor Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Widget's searchable_label parameter in all versions up to, and including, 6.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

DOMBased XSS in The Plus Addons for Elementor <=5.6.14 (WordPress)
CVE-2024-53823 - December 06, 2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite the-plus-addons-for-elementor-page-builder allows DOM-Based XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through <= 5.6.14.

XSS

The Plus Addons for Elementor: Sensitive Information Exposure in Multiple Widgets
CVE-2024-10365 4.3 - Medium - November 20, 2024

The The Plus Addons for Elementor Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.3 via the render function in modules/widgets/tp_carousel_anything.php, modules/widgets/tp_page_scroll.php, and other widgets. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.

Information Disclosure

Auth Bypass CVE-2024-43932 in The Plus Addons Lite (5.6.2)
CVE-2024-43932 - November 01, 2024

Missing Authorization vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite the-plus-addons-for-elementor-page-builder.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through <= 5.6.2.

AuthZ

Sensitive Info Exposure in Plus Addons for Elementor <=5.6.11
CVE-2024-8913 4.3 - Medium - October 11, 2024

The The Plus Addons for Elementor Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.6.11 via the render function in modules/widgets/tp_accordion.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.

Information Disclosure

The Plus Addons for Elementor Page Builder Lite <=5.6.2 Stored XSS
CVE-2024-43977 - September 17, 2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite the-plus-addons-for-elementor-page-builder allows Stored XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through <= 5.6.2.

XSS

Plus Addons for Elementor 5.6.2 XSS via carousel_direction
CVE-2024-5583 6.4 - Medium - August 22, 2024

The The Plus Addons for Elementor Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the carousel_direction parameter of testimonials widget in all versions up to, and including, 5.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in Plus Addons for Elementor tp_page_scroll (5.6.2)
CVE-2024-6575 5.4 - Medium - August 20, 2024

The The Plus Addons for Elementor Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the res_width_value parameter within the plugin's tp_page_scroll widget in all versions up to, and including, 5.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS via video_date in Plus Addons for Elementor (5.6.2)
CVE-2024-5763 6.4 - Medium - August 20, 2024

The The Plus Addons for Elementor Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the video_date attribute within the plugin's Video widget in all versions up to, and including, 5.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Plus Addons for Elementor XSS via Countdown Widget 5.6.1
CVE-2024-4482 6.4 - Medium - July 03, 2024

The The Plus Addons for Elementor Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Countdown' widget in all versions up to, and including, 5.6.1 due to insufficient input sanitization and output escaping on user supplied 'text_days' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS via video_color in Plus Addons for Elementor <5.6.0 WP
CVE-2024-4983 6.4 - Medium - June 27, 2024

The The Plus Addons for Elementor Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the video_color parameter in all versions up to, and including, 5.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Plus Addons LFI magazine_style 5.5.4
CVE-2024-5455 8.8 - High - June 21, 2024

The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other safe file types can be uploaded and included.

Remote file include

Plus Addons Elementor Reflected XSS in forgoturl WP Login Widget 5.5.6
CVE-2024-5344 6.1 - Medium - June 21, 2024

The The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the forgoturl attribute within the plugin's WP Login & Register widget in all versions up to, and including, 5.5.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

XSS

Stored XSS in The Plus Addons for Elementor Page Builder Lite v5.5.4
CVE-2024-35709 - June 08, 2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite the-plus-addons-for-elementor-page-builder.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through <= 5.5.4.

XSS

PlusAddons for Elementor 5.5.4 Stored XSS via Heading Title 'size'
CVE-2024-5341 6.4 - Medium - May 30, 2024

The The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' attribute of the Heading Title widget in all versions up to, and including, 5.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Plus Addons for Elementor <=5.5.2 XSS via button_custom_attrs
CVE-2024-4485 6.4 - Medium - May 24, 2024

The The Plus Addons for Elementor Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button_custom_attributes parameter in versions up to, and including, 5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

XSS in The Plus Addons for Elementor v5.5.2 via xai_username
CVE-2024-4484 6.4 - Medium - May 24, 2024

The The Plus Addons for Elementor Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the xai_username parameter in versions up to, and including, 5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

WordPress Plus Addons for Elementor 5.5.4 Stored XSS via Widget Attrs
CVE-2024-3718 6.4 - Medium - May 24, 2024

The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's widgets all versions up to, and including, 5.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-35709 is likely a duplicate of this issue.

XSS

Plus Addons for Elementor 5.5.4 XSS via Hover Card widget
CVE-2024-2784 6.4 - Medium - May 24, 2024

The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Hover Card widget in all versions up to, and including, 5.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

The Plus Addons for Elementor Pro 5.2.8 LFI via Path Traversal
CVE-2023-47178 9.8 - Critical - May 17, 2024

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows PHP Local File Inclusion.This issue affects The Plus Addons for Elementor Pro: from n/a through 5.2.8.

Directory traversal

WordPress Plugin XSS: Plus Addons for Elementor 5.4.2 AgeGate widget
CVE-2024-2785 6.4 - Medium - May 14, 2024

The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Age Gate widget in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS in Plus Addons for Elementor <5.4.2 via element attributes
CVE-2024-0445 6.4 - Medium - May 14, 2024

The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's element attributes in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-34373 is likely a duplicate of this issue.

XSS

Pre-5.4.2 The Plus Addons for Elementor Stored XSS
CVE-2024-34373 - May 06, 2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite the-plus-addons-for-elementor-page-builder.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through <= 5.4.2.

XSS

Stored XSS in Plus Addons Elementor (5.4.2) via Countdown Widget
CVE-2024-3199 6.4 - Medium - May 02, 2024

The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Plus Addons Elementor WP: Stored XSS <=5.4.2 via custom attrs
CVE-2024-3197 6.4 - Medium - May 02, 2024

The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom attributes in the plugin's widgets in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

LFI in Plus Addons for Elementor 5.4.1 via Team Member Listing widget
CVE-2024-2210 6.4 - Medium - March 27, 2024

The The Plus Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.1 via the Team Member Listing widget. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other safe file types can be uploaded and included.

Directory traversal

LFI via Clients widget in Plus Addons for Elementor <=5.4.1
CVE-2024-2203 6.4 - Medium - March 27, 2024

The The Plus Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.1 via the Clients widget. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other safe file types can be uploaded and included.

Directory traversal

Plus Addons 5.4.0 WordPress Stored XSS via Header Meta Content widget
CVE-2024-1419 6.4 - Medium - March 07, 2024

The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _id attribute of the Header Meta Content widget in all versions up to, and including, 5.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

PrivEsc: Plus Addons Elementor Plugin 4.1.9/2.0.6 Role Escalation
CVE-2021-4331 8.8 - High - March 07, 2023

The Plus Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 4.1.9 (pro) and 2.0.6 (free). The plugin adds a registration form to the Elementor page builders functionality. As part of the registration form, users can choose which role to set as the default for users upon registration. This field is not hidden for lower-level users so any user with access to the Elementor page builder, such as contributors, can set the default role to administrator. Since contributors can not publish posts, only author+ users can elevate privileges without interaction via a site administrator (to approve a post).

AuthZ

Arbitrary File Read in Plus Addons for Elementor v4.1.9/2.0.6 via SVG Param
CVE-2021-4332 6.5 - Medium - March 07, 2023

The Plus Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in versions up to, and including 4.1.9 (pro) and 2.0.6 (free). The plugin has a feature to add an "Info Box" to an Elementor created page. This Info Box can include an SVG image for the box. Unfortunately, the plugin used file_get_contents with no verification that the file being supplied was an SVG file, so any user with access to the Elementor page builder, such as contributors, could read arbitrary files on the WordPress installation.

External Control of File Name or Path

The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could
CVE-2021-24948 7.5 - High - January 10, 2022

The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts

Injection

The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement
CVE-2021-24949 9.8 - Critical - January 10, 2022

The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection

SQL Injection

The theplus_more_post AJAX action of The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.12 did not properly sanitise some of its fields
CVE-2021-24351 6.1 - Medium - June 14, 2021

The theplus_more_post AJAX action of The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.12 did not properly sanitise some of its fields, leading to a reflected Cross-Site Scripting (exploitable on both unauthenticated and authenticated users)

XSS

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.10 did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it
CVE-2021-24358 6.1 - Medium - June 14, 2021

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.10 did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue.

Open Redirect

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check
CVE-2021-24359 5.3 - Medium - June 14, 2021

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (CVE-2021-24358) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover.

authentification

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication
CVE-2021-24175 9.8 - Critical - April 05, 2021

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.

authentification

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Posimyth The Plus Addons For Elementor or by Posimyth? Click the Watch button to subscribe.

Posimyth
Vendor

Posimyth The Plus Addons For Elementor
Product

Posimyth The Plus Addons For Elementor

Don't miss out!

By the Year

Recent Posimyth The Plus Addons For Elementor Security Vulnerabilities

WordPress Plus Addons for Elementor <=6.2.2 XSS via components CVE-2025-1287 6.4 - Medium - March 08, 2025

Stored XSS in The Plus Addons for Elementor <=6.1.8 via Table Widget CVE-2024-11829 6.4 - Medium - February 01, 2025

DOMBased XSS in The Plus Addons for Elementor <=5.6.14 (WordPress) CVE-2024-53823 - December 06, 2024

The Plus Addons for Elementor: Sensitive Information Exposure in Multiple Widgets CVE-2024-10365 4.3 - Medium - November 20, 2024

Auth Bypass CVE-2024-43932 in The Plus Addons Lite (5.6.2) CVE-2024-43932 - November 01, 2024

Sensitive Info Exposure in Plus Addons for Elementor <=5.6.11 CVE-2024-8913 4.3 - Medium - October 11, 2024

The Plus Addons for Elementor Page Builder Lite <=5.6.2 Stored XSS CVE-2024-43977 - September 17, 2024

Plus Addons for Elementor 5.6.2 XSS via carousel_direction CVE-2024-5583 6.4 - Medium - August 22, 2024

Stored XSS in Plus Addons for Elementor tp_page_scroll (5.6.2) CVE-2024-6575 5.4 - Medium - August 20, 2024

Stored XSS via video_date in Plus Addons for Elementor (5.6.2) CVE-2024-5763 6.4 - Medium - August 20, 2024

Plus Addons for Elementor XSS via Countdown Widget 5.6.1 CVE-2024-4482 6.4 - Medium - July 03, 2024

Stored XSS via video_color in Plus Addons for Elementor <5.6.0 WP CVE-2024-4983 6.4 - Medium - June 27, 2024

Plus Addons LFI magazine_style 5.5.4 CVE-2024-5455 8.8 - High - June 21, 2024

Plus Addons Elementor Reflected XSS in forgoturl WP Login Widget 5.5.6 CVE-2024-5344 6.1 - Medium - June 21, 2024

Stored XSS in The Plus Addons for Elementor Page Builder Lite v5.5.4 CVE-2024-35709 - June 08, 2024

PlusAddons for Elementor 5.5.4 Stored XSS via Heading Title 'size' CVE-2024-5341 6.4 - Medium - May 30, 2024

Plus Addons for Elementor <=5.5.2 XSS via button_custom_attrs CVE-2024-4485 6.4 - Medium - May 24, 2024

XSS in The Plus Addons for Elementor v5.5.2 via xai_username CVE-2024-4484 6.4 - Medium - May 24, 2024

WordPress Plus Addons for Elementor 5.5.4 Stored XSS via Widget Attrs CVE-2024-3718 6.4 - Medium - May 24, 2024

Plus Addons for Elementor 5.5.4 XSS via Hover Card widget CVE-2024-2784 6.4 - Medium - May 24, 2024

The Plus Addons for Elementor Pro 5.2.8 LFI via Path Traversal CVE-2023-47178 9.8 - Critical - May 17, 2024

WordPress Plugin XSS: Plus Addons for Elementor 5.4.2 AgeGate widget CVE-2024-2785 6.4 - Medium - May 14, 2024

Stored XSS in Plus Addons for Elementor <5.4.2 via element attributes CVE-2024-0445 6.4 - Medium - May 14, 2024

Pre-5.4.2 The Plus Addons for Elementor Stored XSS CVE-2024-34373 - May 06, 2024

Stored XSS in Plus Addons Elementor (5.4.2) via Countdown Widget CVE-2024-3199 6.4 - Medium - May 02, 2024

Plus Addons Elementor WP: Stored XSS <=5.4.2 via custom attrs CVE-2024-3197 6.4 - Medium - May 02, 2024

LFI in Plus Addons for Elementor 5.4.1 via Team Member Listing widget CVE-2024-2210 6.4 - Medium - March 27, 2024

LFI via Clients widget in Plus Addons for Elementor <=5.4.1 CVE-2024-2203 6.4 - Medium - March 27, 2024

Plus Addons 5.4.0 WordPress Stored XSS via Header Meta Content widget CVE-2024-1419 6.4 - Medium - March 07, 2024

PrivEsc: Plus Addons Elementor Plugin 4.1.9/2.0.6 Role Escalation CVE-2021-4331 8.8 - High - March 07, 2023

Arbitrary File Read in Plus Addons for Elementor v4.1.9/2.0.6 via SVG Param CVE-2021-4332 6.5 - Medium - March 07, 2023

The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could CVE-2021-24948 7.5 - High - January 10, 2022

The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement CVE-2021-24949 9.8 - Critical - January 10, 2022

The theplus_more_post AJAX action of The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.12 did not properly sanitise some of its fields CVE-2021-24351 6.1 - Medium - June 14, 2021

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.10 did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it CVE-2021-24358 6.1 - Medium - June 14, 2021

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check CVE-2021-24359 5.3 - Medium - June 14, 2021

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication CVE-2021-24175 9.8 - Critical - April 05, 2021

Stay on top of Security Vulnerabilities

Posimyth Vendor

Posimyth The Plus Addons For ElementorProduct

WordPress Plus Addons for Elementor <=6.2.2 XSS via components
CVE-2025-1287 6.4 - Medium - March 08, 2025

Stored XSS in The Plus Addons for Elementor <=6.1.8 via Table Widget
CVE-2024-11829 6.4 - Medium - February 01, 2025

DOMBased XSS in The Plus Addons for Elementor <=5.6.14 (WordPress)
CVE-2024-53823 - December 06, 2024

The Plus Addons for Elementor: Sensitive Information Exposure in Multiple Widgets
CVE-2024-10365 4.3 - Medium - November 20, 2024

Auth Bypass CVE-2024-43932 in The Plus Addons Lite (5.6.2)
CVE-2024-43932 - November 01, 2024

Sensitive Info Exposure in Plus Addons for Elementor <=5.6.11
CVE-2024-8913 4.3 - Medium - October 11, 2024

The Plus Addons for Elementor Page Builder Lite <=5.6.2 Stored XSS
CVE-2024-43977 - September 17, 2024

Plus Addons for Elementor 5.6.2 XSS via carousel_direction
CVE-2024-5583 6.4 - Medium - August 22, 2024

Stored XSS in Plus Addons for Elementor tp_page_scroll (5.6.2)
CVE-2024-6575 5.4 - Medium - August 20, 2024

Stored XSS via video_date in Plus Addons for Elementor (5.6.2)
CVE-2024-5763 6.4 - Medium - August 20, 2024

Plus Addons for Elementor XSS via Countdown Widget 5.6.1
CVE-2024-4482 6.4 - Medium - July 03, 2024

Stored XSS via video_color in Plus Addons for Elementor <5.6.0 WP
CVE-2024-4983 6.4 - Medium - June 27, 2024

Plus Addons LFI magazine_style 5.5.4
CVE-2024-5455 8.8 - High - June 21, 2024

Plus Addons Elementor Reflected XSS in forgoturl WP Login Widget 5.5.6
CVE-2024-5344 6.1 - Medium - June 21, 2024

Stored XSS in The Plus Addons for Elementor Page Builder Lite v5.5.4
CVE-2024-35709 - June 08, 2024

PlusAddons for Elementor 5.5.4 Stored XSS via Heading Title 'size'
CVE-2024-5341 6.4 - Medium - May 30, 2024

Plus Addons for Elementor <=5.5.2 XSS via button_custom_attrs
CVE-2024-4485 6.4 - Medium - May 24, 2024

XSS in The Plus Addons for Elementor v5.5.2 via xai_username
CVE-2024-4484 6.4 - Medium - May 24, 2024

WordPress Plus Addons for Elementor 5.5.4 Stored XSS via Widget Attrs
CVE-2024-3718 6.4 - Medium - May 24, 2024

Plus Addons for Elementor 5.5.4 XSS via Hover Card widget
CVE-2024-2784 6.4 - Medium - May 24, 2024

The Plus Addons for Elementor Pro 5.2.8 LFI via Path Traversal
CVE-2023-47178 9.8 - Critical - May 17, 2024

WordPress Plugin XSS: Plus Addons for Elementor 5.4.2 AgeGate widget
CVE-2024-2785 6.4 - Medium - May 14, 2024

Stored XSS in Plus Addons for Elementor <5.4.2 via element attributes
CVE-2024-0445 6.4 - Medium - May 14, 2024

Pre-5.4.2 The Plus Addons for Elementor Stored XSS
CVE-2024-34373 - May 06, 2024

Stored XSS in Plus Addons Elementor (5.4.2) via Countdown Widget
CVE-2024-3199 6.4 - Medium - May 02, 2024

Plus Addons Elementor WP: Stored XSS <=5.4.2 via custom attrs
CVE-2024-3197 6.4 - Medium - May 02, 2024

LFI in Plus Addons for Elementor 5.4.1 via Team Member Listing widget
CVE-2024-2210 6.4 - Medium - March 27, 2024

LFI via Clients widget in Plus Addons for Elementor <=5.4.1
CVE-2024-2203 6.4 - Medium - March 27, 2024

Plus Addons 5.4.0 WordPress Stored XSS via Header Meta Content widget
CVE-2024-1419 6.4 - Medium - March 07, 2024

PrivEsc: Plus Addons Elementor Plugin 4.1.9/2.0.6 Role Escalation
CVE-2021-4331 8.8 - High - March 07, 2023

Arbitrary File Read in Plus Addons for Elementor v4.1.9/2.0.6 via SVG Param
CVE-2021-4332 6.5 - Medium - March 07, 2023

The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could
CVE-2021-24948 7.5 - High - January 10, 2022

The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement
CVE-2021-24949 9.8 - Critical - January 10, 2022

The theplus_more_post AJAX action of The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.12 did not properly sanitise some of its fields
CVE-2021-24351 6.1 - Medium - June 14, 2021

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.10 did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it
CVE-2021-24358 6.1 - Medium - June 14, 2021

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check
CVE-2021-24359 5.3 - Medium - June 14, 2021

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication
CVE-2021-24175 9.8 - Critical - April 05, 2021

Posimyth
Vendor

Posimyth The Plus Addons For Elementor
Product