Exposure of Elementor

Page builders, WordPress plugins

717

exposure score

960,635

sites use

0

exploited

47

critical

Vexday analysis

O plugin Elementor acumula 1.532 CVEs catalogadas, um volume expressivo que reflete sua ampla adoção no ecossistema WordPress e a consequente atenção de pesquisadores de segurança. A falha mais comum é CWE-79 (Cross-Site Scripting), padrão esperado em componentes de construção de páginas com superfície de entrada extensa. Embora a taxa de exploração ativa esteja abaixo da média geral do catálogo CISA KEV, o EPSS mais alto observado chega a 0,92943 — valor atribuído à CVE-2022-1329 —, indicando alta probabilidade de exploração ativa para essa vulnerabilidade específica, o que justifica tratamento prioritário. O ritmo de 82 novas CVEs nos últimos 90 dias, somado a 46 de severidade crítica no histórico, reforça a necessidade de ciclos de atualização contínuos para ambientes que utilizam esse plugin.

CVEs

1,535 results

CVE-2025-66147MEDIUMWordPress Coder for Elementor plugin <= 1.0.13 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2025-66161MEDIUMWordPress Grider for Elementor plugin <= 1.0.8 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2025-66162MEDIUMWordPress Spoter for Elementor plugin <= 1.04 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2025-66163MEDIUMWordPress Masker for Elementor plugin <= 1.1.4 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2025-66166MEDIUMWordPress Lottier for Elementor plugin <= 1.0.9 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2023-32238MEDIUMWordPress TheGem theme < 5.8.1.1 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2026-2386MEDIUMThe Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.7 - Incorrect Authorization to Authenticated (Author+) Arbitrary Draft Post Creation via 'post_type'EPSS 0.2%CVE-2025-2168MEDIUMUltimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider <= 2.4.1 - Cross-Site Request Forgery to Limited User Meta UpdateEPSS 0.2%CVE-2026-32527MEDIUMWordPress WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.5 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2025-14274MEDIUMUnlimited Elements for Elementor <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Border Hero WidgetEPSS 0.2%CVE-2023-41656MEDIUMWordPress Better Elementor Addons plugin <= 1.3.7 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2025-3076MEDIUMElementor Pro <= 3.29.0 - Authenticated (Contributor+) Stored Cross-Site ScriptingEPSS 0.2%CVE-2025-3075MEDIUMElementor <= 3.29.0 - Authenticated (Contributor+) Stored Cross-Site ScriptingEPSS 0.2%CVE-2024-11937MEDIUMPremium Addons for Elementor <= 4.10.69 - Authenticated (Contributor+) Stored Cross-Site ScriptingEPSS 0.2%CVE-2025-54704MEDIUMWordPress Easy Elementor Addons plugin <= 2.2.6 - Cross Site Scripting (XSS) VulnerabilityEPSS 0.2%CVE-2025-6251MEDIUMRoyal Elementor Addons and Templates <= 1.7.1036 - Authenticated (Contributor+) Stored Cross-Site ScriptingEPSS 0.2%CVE-2025-69336MEDIUMWordPress Ultimate Store Kit Elementor Addons plugin <= 2.9.4 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2025-9703MEDIUMUltimate Addons for Elementor Lite < 2.5.0 - Author+ Stored XSSEPSS 0.2%CVE-2026-32430MEDIUMWordPress PowerPack Addons for Elementor plugin <= 2.9.9 - Cross Site Scripting (XSS) vulnerabilityEPSS 0.2%CVE-2026-32352MEDIUMWordPress Elementor Website Builder plugin <= 3.35.5 - Cross Site Scripting (XSS) vulnerabilityEPSS 0.2%

← previouspage 74 / 77next →

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →