Exposure of Elementor

Page builders, WordPress plugins
717
exposure score
960,635
sites use
0
exploited
47
critical
Vexday analysis

O plugin Elementor acumula 1.532 CVEs catalogadas, um volume expressivo que reflete sua ampla adoção no ecossistema WordPress e a consequente atenção de pesquisadores de segurança. A falha mais comum é CWE-79 (Cross-Site Scripting), padrão esperado em componentes de construção de páginas com superfície de entrada extensa. Embora a taxa de exploração ativa esteja abaixo da média geral do catálogo CISA KEV, o EPSS mais alto observado chega a 0,92943 — valor atribuído à CVE-2022-1329 —, indicando alta probabilidade de exploração ativa para essa vulnerabilidade específica, o que justifica tratamento prioritário. O ritmo de 82 novas CVEs nos últimos 90 dias, somado a 46 de severidade crítica no histórico, reforça a necessidade de ciclos de atualização contínuos para ambientes que utilizam esse plugin.

CVEs

1,535 results
CVE-2025-30863MEDIUMWordPress Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.0.9 - Cross Site Request Forgery (CSRF) vulnerabilityEPSS 0.2%CVE-2025-67468MEDIUMWordPress Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.4.6 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2025-58017MEDIUMWordPress Ultimate Store Kit Elementor Addons plugin <= 2.8.6 - Cross Site Scripting (XSS) vulnerabilityEPSS 0.2%CVE-2025-57999MEDIUMWordPress WPKoi Templates for Elementor Plugin <= 3.4.3 - Cross Site Scripting (XSS) VulnerabilityEPSS 0.2%CVE-2025-58254MEDIUMWordPress StylePress for Elementor Plugin <= 1.2.1 - Cross Site Scripting (XSS) VulnerabilityEPSS 0.2%CVE-2025-58796MEDIUMWordPress Elementor Element Condition Plugin <= 1.0.5 - Cross Site Scripting (XSS) VulnerabilityEPSS 0.2%CVE-2025-48354MEDIUMWordPress Better Post & Filter Widgets for Elementor plugin <= 1.6.1 - Cross Site Scripting (XSS) vulnerabilityEPSS 0.2%CVE-2025-1663MEDIUMUnlimited Elements For Elementor <= 1.5.142 - Authenticated (Contributor+) Stored Cross-Site ScriptingEPSS 0.2%CVE-2023-6984MEDIUMPowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.13 - Cross-Site Request ForgeryEPSS 0.2%CVE-2024-0511MEDIUMRoyal Elementor Addons and Templates <= 1.3.87 - Cross-Site Request Forgery via wpr_update_form_action_metaEPSS 0.2%CVE-2025-12830MEDIUMBetter Elementor Addons <= 1.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Slider WidgetEPSS 0.2%CVE-2025-13368MEDIUMXpro Addons — 140+ Widgets for Elementor <= 1.4.20 - Authenticated (Contributor+) Stored Cross-Site ScriptingEPSS 0.2%CVE-2025-8462MEDIUMRT Easy Builder <= 2.3 - Authenticated (Contributor+) Stored Cross-Site ScriptingEPSS 0.2%CVE-2026-4790MEDIUMPremium Addons for Elementor <= 4.11.70 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'custom_svg' ParameterEPSS 0.2%CVE-2026-45443MEDIUMWordPress PDF for Elementor Forms + Drag And Drop Template Builder plugin <= 5.5.1 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2026-2918MEDIUMHappy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template ConditionsEPSS 0.2%CVE-2026-1397MEDIUMPQ Addons – Creative Elementor Widgets <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget AttributesEPSS 0.2%CVE-2026-25028MEDIUMWordPress ElementInvader Addons for Elementor plugin <= 1.4.1 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2026-2917MEDIUMHappy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Duplication via 'post_id' ParameterEPSS 0.2%CVE-2025-53199MEDIUMWordPress HT Slider For Elementor plugin <= 1.6.5 - Cross Site Scripting (XSS) VulnerabilityEPSS 0.2%

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →