Exposure of Elementor

Page builders, WordPress plugins
717
exposure score
960,635
sites use
0
exploited
47
critical
Vexday analysis

O plugin Elementor acumula 1.532 CVEs catalogadas, um volume expressivo que reflete sua ampla adoção no ecossistema WordPress e a consequente atenção de pesquisadores de segurança. A falha mais comum é CWE-79 (Cross-Site Scripting), padrão esperado em componentes de construção de páginas com superfície de entrada extensa. Embora a taxa de exploração ativa esteja abaixo da média geral do catálogo CISA KEV, o EPSS mais alto observado chega a 0,92943 — valor atribuído à CVE-2022-1329 —, indicando alta probabilidade de exploração ativa para essa vulnerabilidade específica, o que justifica tratamento prioritário. O ritmo de 82 novas CVEs nos últimos 90 dias, somado a 46 de severidade crítica no histórico, reforça a necessidade de ciclos de atualização contínuos para ambientes que utilizam esse plugin.

CVEs

1,535 results
CVE-2025-58205MEDIUMWordPress ElementInvader Addons for Elementor Plugin <= 1.3.6 - Cross Site Scripting (XSS) VulnerabilityEPSS 0.2%CVE-2025-68500MEDIUMWordPress Prime Slider – Addons For Elementor plugin <= 4.0.10 - Server Side Request Forgery (SSRF) vulnerabilityEPSS 0.2%CVE-2026-2486MEDIUMMaster Addons For Elementor <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ma_el_bh_table_btn_text'EPSS 0.2%CVE-2026-49052MEDIUMWordPress ElementsKit Elementor addons Lite plugin <= 3.9.6 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2025-64361MEDIUMWordPress Consulting Elementor Widgets plugin <= 1.4.2 - Cross Site Scripting (XSS) vulnerabilityEPSS 0.2%CVE-2026-2385MEDIUMThe Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.7 - Unauthenticated Email RelayEPSS 0.1%CVE-2025-54033MEDIUMWordPress Theme Builder For Elementor plugin <= 1.2.3 - Cross Site Request Forgery (CSRF) VulnerabilityEPSS 0.1%CVE-2025-46249MEDIUMWordPress Simple calendar for Elementor plugin <= 1.6.4 - Cross Site Request Forgery (CSRF) VulnerabilityEPSS 0.1%CVE-2026-49782MEDIUMWordPress Elementor Website Builder plugin <= 4.1.0 - Broken Access Control vulnerabilityEPSS 0.1%CVE-2025-13196MEDIUMElement Pack Addons for Elementor <= 8.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Open Street Map widgetEPSS 0.1%CVE-2026-32532HIGHWordPress Contact Form & Lead Form Elementor Builder plugin <= 2.0.1 - Cross Site Scripting (XSS) vulnerabilityEPSS 0.1%CVE-2025-68085MEDIUMWordPress Buttoner for Elementor plugin <= 1.0.6 - Settings Change vulnerabilityEPSS 0.1%CVE-2025-30948MEDIUMWordPress Layouts for Elementor plugin <= 1.11 - Cross Site Request Forgery (CSRF) VulnerabilityEPSS 0.1%CVE-2025-47542MEDIUMWordPress Simple calendar for Elementor plugin <= 1.6.5 - Cross Site Request Forgery (CSRF) VulnerabilityEPSS 0.1%CVE-2025-32264MEDIUMWordPress UltraAddons – Elementor Addons plugin <= 2.0.2 - Cross Site Request Forgery (CSRF) vulnerabilityEPSS 0.1%CVE-2025-68532MEDIUMWordPress ModelTheme Addons for WPBakery and Elementor plugin < 1.5.6 - Cross Site Scripting (XSS) vulnerabilityEPSS 0.1%CVE-2025-68087MEDIUMWordPress Modalier for Elementor plugin <= 1.0.6 - Broken Access Control vulnerabilityEPSS 0.1%CVE-2025-68086MEDIUMWordPress Reformer for Elementor plugin <= 1.0.6 - Broken Access Control vulnerabilityEPSS 0.1%CVE-2025-68088MEDIUMWordPress Huger for Elementor plugin <= 1.1.5 - Broken Access Control vulnerabilityEPSS 0.1%CVE-2025-64355MEDIUMWordPress JetElements For Elementor plugin <= 2.7.12 - Cross Site Scripting (XSS) vulnerabilityEPSS 0.1%

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →