Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
50 vulnerabilities found for elementor_addon_elements by webtechstreet
CVE-2024-13215 (GCVE-0-2024-13215)
Vulnerability from nvd – Published: 2025-01-15 12:44 – Updated: 2026-04-08 16:52
VLAI?
Title
Elementor Addon Elements <= 1.13.10 - Authenticated (Contributor+) Sensitive Information Exposure via Modal Popup
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.10 via the 'render' function in modules/modal-popup/widgets/modal-popup.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, and draft template data.
Severity ?
4.3 (Medium)
CWE
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.10
(semver)
|
Credits
Ankit Patel
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13215",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-15T14:29:49.320747Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T14:30:01.993Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ankit Patel"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.10 via the \u0027render\u0027 function in modules/modal-popup/widgets/modal-popup.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, and draft template data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:52:10.119Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4feacb75-0533-4f53-8ce9-3e45ee8336e2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/modal-popup/widgets/modal-popup.php#L1058"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3221982/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-14T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.10 - Authenticated (Contributor+) Sensitive Information Exposure via Modal Popup"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13215",
"datePublished": "2025-01-15T12:44:26.972Z",
"dateReserved": "2025-01-08T17:30:53.565Z",
"dateUpdated": "2026-04-08T16:52:10.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-47361 (GCVE-0-2024-47361)
Vulnerability from nvd – Published: 2024-11-01 14:17 – Updated: 2026-04-01 15:35
VLAI?
Title
WordPress Elementor Addon Elements plugin <= 1.13.6 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder.This issue affects Elementor Addon Elements: from n/a through <= 1.13.6.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPVibes | Elementor Addon Elements |
Affected:
0 , ≤ 1.13.6
(custom)
|
Date Public ?
2026-04-01 16:27
Credits
Rafie Muhammad | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47361",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-04T19:13:43.731478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T19:13:52.215Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "addon-elements-for-elementor-page-builder",
"product": "Elementor Addon Elements",
"vendor": "WPVibes",
"versions": [
{
"changes": [
{
"at": "1.13.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.13.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:27:51.727Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder.\u003cp\u003eThis issue affects Elementor Addon Elements: from n/a through \u003c= 1.13.6.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder.This issue affects Elementor Addon Elements: from n/a through \u003c= 1.13.6."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:35:26.548Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/addon-elements-for-elementor-page-builder/vulnerability/wordpress-elementor-addon-elements-plugin-1-13-6-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Elementor Addon Elements plugin \u003c= 1.13.6 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-47361",
"datePublished": "2024-11-01T14:17:02.667Z",
"dateReserved": "2024-09-24T13:01:29.906Z",
"dateUpdated": "2026-04-01T15:35:26.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8902 (GCVE-0-2024-8902)
Vulnerability from nvd – Published: 2024-10-12 09:39 – Updated: 2026-04-08 17:00
VLAI?
Title
Elementor Addon Elements <= 1.13.8 - Authenticated (Contributor+) Sensitive Information Exposure via table_saved_sections
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.8 via the render_column function in modules/data-table/widgets/data-table.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.8
(semver)
|
Credits
Ankit Patel
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8902",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T13:21:08.946941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T13:21:27.257Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ankit Patel"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.8 via the render_column function in modules/data-table/widgets/data-table.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:00:52.509Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7317ecf5-d43d-4080-ad2a-7644764dd41e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3163899/addon-elements-for-elementor-page-builder"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-17T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-10-11T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.8 - Authenticated (Contributor+) Sensitive Information Exposure via table_saved_sections"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8902",
"datePublished": "2024-10-12T09:39:16.937Z",
"dateReserved": "2024-09-16T19:17:20.023Z",
"dateUpdated": "2026-04-08T17:00:52.509Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-47366 (GCVE-0-2024-47366)
Vulnerability from nvd – Published: 2024-10-06 09:45 – Updated: 2026-04-01 15:35
VLAI?
Title
WordPress Elementor Addon Elements plugin <= 1.13.6 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Stored XSS.This issue affects Elementor Addon Elements: from n/a through <= 1.13.6.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPVibes | Elementor Addon Elements |
Affected:
0 , ≤ 1.13.6
(custom)
|
Date Public ?
2026-04-01 16:27
Credits
João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47366",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T15:28:52.653091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T15:29:01.169Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "addon-elements-for-elementor-page-builder",
"product": "Elementor Addon Elements",
"vendor": "WPVibes",
"versions": [
{
"changes": [
{
"at": "1.13.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.13.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:27:52.020Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Stored XSS.\u003cp\u003eThis issue affects Elementor Addon Elements: from n/a through \u003c= 1.13.6.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Stored XSS.This issue affects Elementor Addon Elements: from n/a through \u003c= 1.13.6."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:35:27.654Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/addon-elements-for-elementor-page-builder/vulnerability/wordpress-elementor-addon-elements-plugin-1-13-6-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Elementor Addon Elements plugin \u003c= 1.13.6 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-47366",
"datePublished": "2024-10-06T09:45:18.525Z",
"dateReserved": "2024-09-24T13:01:29.907Z",
"dateUpdated": "2026-04-01T15:35:27.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-7122 (GCVE-0-2024-7122)
Vulnerability from nvd – Published: 2024-08-30 09:29 – Updated: 2026-04-08 16:57
VLAI?
Title
Elementor Addon Elements <= 1.13.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.13.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.6
(semver)
|
Credits
Craig Smith
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7122",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T13:26:26.401021Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T13:26:42.104Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.13.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:57:59.845Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/668621b0-67ef-44fc-a126-e8c4e372666e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/assets/js/eae.js#L568"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/text-separator/widgets/text-separator.php#L570"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/animated-gradient/module.php#L160"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/image-compare/widgets/image-compare.php#L537"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/dual-button/widgets/dual-button.php#L1045"
},
{
"url": "https://wordpress.org/plugins/addon-elements-for-elementor-page-builder/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3143440/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3143444/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-29T20:31:53.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7122",
"datePublished": "2024-08-30T09:29:48.121Z",
"dateReserved": "2024-07-25T23:37:22.599Z",
"dateUpdated": "2026-04-08T16:57:59.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4401 (GCVE-0-2024-4401)
Vulnerability from nvd – Published: 2024-08-30 03:24 – Updated: 2026-04-08 17:31
VLAI?
Title
Elementor Addon Elements <= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via id and eae_slider_animation Parameters
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ and 'eae_slider_animation' parameters in all versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.5
(semver)
|
Credits
Matthew Rollings
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4401",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T14:00:53.871092Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T14:06:23.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthew Rollings"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018id\u2019 and \u0027eae_slider_animation\u0027 parameters in all versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:31:29.748Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ecfc1466-41d2-498b-8210-c67e8550f5b8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/animated-text/widgets/animated-text.php#L358"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/bg-slider/module.php#L284"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3107074#file6"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3107074#file7"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-29T14:38:46.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via id and eae_slider_animation Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4401",
"datePublished": "2024-08-30T03:24:16.982Z",
"dateReserved": "2024-05-01T19:15:06.673Z",
"dateUpdated": "2026-04-08T17:31:29.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4570 (GCVE-0-2024-4570)
Vulnerability from nvd – Published: 2024-06-27 04:04 – Updated: 2026-04-08 17:14
VLAI?
Title
Elementor Addon Elements <= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.5
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4570",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-27T13:15:26.577270Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T13:15:41.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:47:40.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab5f43c0-83d3-4d09-becd-a3552bebd609?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13.4/classes/helper.php#L232"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3107074/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018url\u2019 parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:14:34.805Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab5f43c0-83d3-4d09-becd-a3552bebd609?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13.4/classes/helper.php#L232"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3107074/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-26T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4570",
"datePublished": "2024-06-27T04:04:32.934Z",
"dateReserved": "2024-05-06T19:59:19.702Z",
"dateUpdated": "2026-04-08T17:14:34.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4569 (GCVE-0-2024-4569)
Vulnerability from nvd – Published: 2024-06-27 04:04 – Updated: 2026-04-08 16:57
VLAI?
Title
Elementor Addon Elements <= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.5
(semver)
|
Credits
Ngô Thiên An
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4569",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-27T17:26:41.805487Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T17:26:48.123Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:47:40.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/63ef7383-d684-473b-aa0f-45027ef245f6?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/modal-popup/widgets/modal-popup.php#L1060"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3107074/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ng\u00f4 Thi\u00ean An"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018url\u2019 parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:57:26.743Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/63ef7383-d684-473b-aa0f-45027ef245f6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/modal-popup/widgets/modal-popup.php#L1060"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3107074/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-26T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4569",
"datePublished": "2024-06-27T04:04:32.280Z",
"dateReserved": "2024-05-06T19:59:12.783Z",
"dateUpdated": "2026-04-08T16:57:26.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2092 (GCVE-0-2024-2092)
Vulnerability from nvd – Published: 2024-06-12 09:33 – Updated: 2026-04-08 16:58
VLAI?
Title
Elementor Addon Elements <= 1.13.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Widget
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Twitter Widget in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.3
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2092",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-12T19:28:34.326994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T19:28:39.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:38.915Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/67790c0b-c078-4955-a175-977a695392fc?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/twitter/widgets/twitter.php#L712"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3077362%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026old=3058768%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s Twitter Widget in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:58:14.052Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/67790c0b-c078-4955-a175-977a695392fc?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/twitter/widgets/twitter.php#L712"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3077362%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026old=3058768%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-11T20:53:36.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Widget"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2092",
"datePublished": "2024-06-12T09:33:12.508Z",
"dateReserved": "2024-03-01T15:27:37.269Z",
"dateUpdated": "2026-04-08T16:58:14.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-3743 (GCVE-0-2024-3743)
Vulnerability from nvd – Published: 2024-05-02 16:52 – Updated: 2026-04-08 17:32
VLAI?
Title
Elementor Addon Elements <= 1.13.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Stack Group, Shape Separator, Content Switcher, Info Circle and Timeline widgets in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.3
(semver)
|
Credits
Matthew Rollings
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-02T20:16:06.291297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:31:44.931Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:20:01.037Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f36fea15-0475-45ee-b913-790db6373aef?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/bg-slider/module.php#L269"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/shape-separator/shapes/triangle-bottom-right.php#L1"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/content-switcher/skins/skin-3.php#L43"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/info-circle/skins/skin-base.php#L154"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/timeline/skins/skin-base.php#L1363"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3078419%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026old=3077362%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthew Rollings"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Stack Group, Shape Separator, Content Switcher, Info Circle and Timeline widgets in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:32:53.417Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f36fea15-0475-45ee-b913-790db6373aef?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/bg-slider/module.php#L269"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/shape-separator/shapes/triangle-bottom-right.php#L1"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/content-switcher/skins/skin-3.php#L43"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/info-circle/skins/skin-base.php#L154"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/timeline/skins/skin-base.php#L1363"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3078419%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026old=3077362%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-29T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.3 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3743",
"datePublished": "2024-05-02T16:52:50.968Z",
"dateReserved": "2024-04-12T19:53:27.335Z",
"dateUpdated": "2026-04-08T17:32:53.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2792 (GCVE-0-2024-2792)
Vulnerability from nvd – Published: 2024-04-09 18:59 – Updated: 2026-04-08 17:27
VLAI?
Title
Elementor Addon Elements <= 1.13.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'Text Separator' and 'Image Compare' Widget
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widgets in all versions up to, and including, 1.13.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.2
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2792",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T18:48:27.573657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T18:48:34.905Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:41.838Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dcc5a611-23bf-499e-8141-684458d9ce3b?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13#modules/image-compare/widgets"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/image-compare/widgets/image-compare.php#L508"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/image-compare/widgets/image-compare.php#L521"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3058768%40addon-elements-for-elementor-page-builder\u0026new=3058768%40addon-elements-for-elementor-page-builder\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widgets in all versions up to, and including, 1.13.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:27:53.356Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dcc5a611-23bf-499e-8141-684458d9ce3b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13#modules/image-compare/widgets"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/image-compare/widgets/image-compare.php#L508"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/image-compare/widgets/image-compare.php#L521"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3058768%40addon-elements-for-elementor-page-builder\u0026new=3058768%40addon-elements-for-elementor-page-builder\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-27T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via \u0027Text Separator\u0027 and \u0027Image Compare\u0027 Widget"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2792",
"datePublished": "2024-04-09T18:59:27.627Z",
"dateReserved": "2024-03-21T17:23:37.571Z",
"dateUpdated": "2026-04-08T17:27:53.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-30422 (GCVE-0-2024-30422)
Vulnerability from nvd – Published: 2024-03-28 09:03 – Updated: 2026-04-01 15:33
VLAI?
Title
WordPress Elementor Addon Elements plugin <= 1.13.1 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder.This issue affects Elementor Addon Elements: from n/a through <= 1.13.1.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPVibes | Elementor Addon Elements |
Affected:
0 , ≤ 1.13.1
(custom)
|
Date Public ?
2026-04-01 16:24
Credits
Abu Hurayra | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T18:40:08.962347Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:39:48.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:32:07.358Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/addon-elements-for-elementor-page-builder/wordpress-elementor-addon-elements-plugin-1-13-1-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "addon-elements-for-elementor-page-builder",
"product": "Elementor Addon Elements",
"vendor": "WPVibes",
"versions": [
{
"changes": [
{
"at": "1.13.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.13.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abu Hurayra | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:24:07.018Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder.\u003cp\u003eThis issue affects Elementor Addon Elements: from n/a through \u003c= 1.13.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder.This issue affects Elementor Addon Elements: from n/a through \u003c= 1.13.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:33:51.987Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/addon-elements-for-elementor-page-builder/vulnerability/wordpress-elementor-addon-elements-plugin-1-13-1-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Elementor Addon Elements plugin \u003c= 1.13.1 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-30422",
"datePublished": "2024-03-28T09:03:35.902Z",
"dateReserved": "2024-03-27T05:57:07.765Z",
"dateUpdated": "2026-04-01T15:33:51.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2091 (GCVE-0-2024-2091)
Vulnerability from nvd – Published: 2024-03-28 02:37 – Updated: 2026-04-08 16:37
VLAI?
Title
Elementor Addon Elements <= 1.13.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 1.13.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.2
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T15:52:01.173162Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:29.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:38.929Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18e2e0e5-495f-4f55-b7d8-94193fc2ad12?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/comparison-table/widgets/comparison-table.php#L2076"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3055134%40addon-elements-for-elementor-page-builder\u0026new=3055134%40addon-elements-for-elementor-page-builder\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s widgets in all versions up to, and including, 1.13.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:37:44.225Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18e2e0e5-495f-4f55-b7d8-94193fc2ad12?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/comparison-table/widgets/comparison-table.php#L2076"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3055134%40addon-elements-for-elementor-page-builder\u0026new=3055134%40addon-elements-for-elementor-page-builder\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3058768%40addon-elements-for-elementor-page-builder\u0026new=3058768%40addon-elements-for-elementor-page-builder\u0026sfp_email=\u0026sfph_mail=#file7"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-27T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.2 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2091",
"datePublished": "2024-03-28T02:37:10.749Z",
"dateReserved": "2024-03-01T15:25:28.049Z",
"dateUpdated": "2026-04-08T16:37:44.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-29107 (GCVE-0-2024-29107)
Vulnerability from nvd – Published: 2024-03-19 15:35 – Updated: 2024-08-02 01:03
VLAI?
Title
WordPress Elementor Addon Elements plugin <= 1.12.10 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPVibes Elementor Addon Elements allows Stored XSS.This issue affects Elementor Addon Elements: from n/a through 1.12.10.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPVibes | Elementor Addon Elements |
Affected:
n/a , ≤ 1.12.10
(custom)
|
Credits
Abu Hurayra (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29107",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-19T19:12:28.690315Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:57:43.282Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.899Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/addon-elements-for-elementor-page-builder/wordpress-elementor-addon-elements-plugin-1-12-10-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "addon-elements-for-elementor-page-builder",
"product": "Elementor Addon Elements",
"vendor": "WPVibes",
"versions": [
{
"changes": [
{
"at": "1.12.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abu Hurayra (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WPVibes Elementor Addon Elements allows Stored XSS.\u003cp\u003eThis issue affects Elementor Addon Elements: from n/a through 1.12.10.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WPVibes Elementor Addon Elements allows Stored XSS.This issue affects Elementor Addon Elements: from n/a through 1.12.10.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-19T15:35:26.557Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/addon-elements-for-elementor-page-builder/wordpress-elementor-addon-elements-plugin-1-12-10-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.12.11 or a higher version."
}
],
"value": "Update to 1.12.11 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Elementor Addon Elements plugin \u003c= 1.12.10 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-29107",
"datePublished": "2024-03-19T15:35:26.557Z",
"dateReserved": "2024-03-15T13:07:52.912Z",
"dateUpdated": "2024-08-02T01:03:51.899Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1422 (GCVE-0-2024-1422)
Vulnerability from nvd – Published: 2024-03-13 15:26 – Updated: 2026-04-08 16:51
VLAI?
Title
Elementor Addon Elements <= 1.12.12 - Authenticated(Contributor+) Stored Cross-Site Scripting via Modal Popup effet
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the modal popup widget's effect setting in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.12.12
(semver)
|
Credits
Craig Smith
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:webtechstreet:elementor_addon_elements:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "elementor_addon_elements",
"vendor": "webtechstreet",
"versions": [
{
"lessThanOrEqual": "1.12.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1422",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T17:59:21.439461Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T14:53:51.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:21.223Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ba28184-b5c3-4a5c-a376-29b3c6a2aa20?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/modal-popup/widgets/modal-popup.php#L1048"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/modal-popup/widgets/modal-popup.php#L1062"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3037925%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026old=3031349%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file26"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.12.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the modal popup widget\u0027s effect setting in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:51:01.511Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ba28184-b5c3-4a5c-a376-29b3c6a2aa20?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/modal-popup/widgets/modal-popup.php#L1048"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/modal-popup/widgets/modal-popup.php#L1062"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3037925%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026old=3031349%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file26"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-21T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.12.12 - Authenticated(Contributor+) Stored Cross-Site Scripting via Modal Popup effet"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1422",
"datePublished": "2024-03-13T15:26:47.854Z",
"dateReserved": "2024-02-09T20:55:32.314Z",
"dateUpdated": "2026-04-08T16:51:01.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-1393 (GCVE-0-2024-1393)
Vulnerability from nvd – Published: 2024-03-13 15:27 – Updated: 2026-04-08 17:18
VLAI?
Title
Elementor Addon Elements <= 1.12.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Content Switcher Widget
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'icon_align' attribute of the Content Switcher widget in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.12.12
(semver)
|
Credits
Mdr001
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1393",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-15T13:53:59.955579Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:01:28.212Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:20.532Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb0888d6-30e6-4957-b270-1968eace462e?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.12.12/modules/content-switcher/skins/skin-3.php#L39"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/content-switcher/skins/skin-3.php#L39"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.12.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mdr001"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027icon_align\u0027 attribute of the Content Switcher widget in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:18:23.539Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb0888d6-30e6-4957-b270-1968eace462e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.12.12/modules/content-switcher/skins/skin-3.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/content-switcher/skins/skin-3.php#L39"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-21T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.12.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Content Switcher Widget"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1393",
"datePublished": "2024-03-13T15:27:12.194Z",
"dateReserved": "2024-02-08T23:42:35.706Z",
"dateUpdated": "2026-04-08T17:18:23.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-13215 (GCVE-0-2024-13215)
Vulnerability from cvelistv5 – Published: 2025-01-15 12:44 – Updated: 2026-04-08 16:52
VLAI?
Title
Elementor Addon Elements <= 1.13.10 - Authenticated (Contributor+) Sensitive Information Exposure via Modal Popup
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.10 via the 'render' function in modules/modal-popup/widgets/modal-popup.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, and draft template data.
Severity ?
4.3 (Medium)
CWE
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.10
(semver)
|
Credits
Ankit Patel
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13215",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-15T14:29:49.320747Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T14:30:01.993Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ankit Patel"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.10 via the \u0027render\u0027 function in modules/modal-popup/widgets/modal-popup.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, and draft template data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:52:10.119Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4feacb75-0533-4f53-8ce9-3e45ee8336e2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/modal-popup/widgets/modal-popup.php#L1058"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3221982/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-14T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.10 - Authenticated (Contributor+) Sensitive Information Exposure via Modal Popup"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13215",
"datePublished": "2025-01-15T12:44:26.972Z",
"dateReserved": "2025-01-08T17:30:53.565Z",
"dateUpdated": "2026-04-08T16:52:10.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-47361 (GCVE-0-2024-47361)
Vulnerability from cvelistv5 – Published: 2024-11-01 14:17 – Updated: 2026-04-01 15:35
VLAI?
Title
WordPress Elementor Addon Elements plugin <= 1.13.6 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder.This issue affects Elementor Addon Elements: from n/a through <= 1.13.6.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPVibes | Elementor Addon Elements |
Affected:
0 , ≤ 1.13.6
(custom)
|
Date Public ?
2026-04-01 16:27
Credits
Rafie Muhammad | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47361",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-04T19:13:43.731478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T19:13:52.215Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "addon-elements-for-elementor-page-builder",
"product": "Elementor Addon Elements",
"vendor": "WPVibes",
"versions": [
{
"changes": [
{
"at": "1.13.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.13.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:27:51.727Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder.\u003cp\u003eThis issue affects Elementor Addon Elements: from n/a through \u003c= 1.13.6.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder.This issue affects Elementor Addon Elements: from n/a through \u003c= 1.13.6."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:35:26.548Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/addon-elements-for-elementor-page-builder/vulnerability/wordpress-elementor-addon-elements-plugin-1-13-6-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Elementor Addon Elements plugin \u003c= 1.13.6 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-47361",
"datePublished": "2024-11-01T14:17:02.667Z",
"dateReserved": "2024-09-24T13:01:29.906Z",
"dateUpdated": "2026-04-01T15:35:26.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8902 (GCVE-0-2024-8902)
Vulnerability from cvelistv5 – Published: 2024-10-12 09:39 – Updated: 2026-04-08 17:00
VLAI?
Title
Elementor Addon Elements <= 1.13.8 - Authenticated (Contributor+) Sensitive Information Exposure via table_saved_sections
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.8 via the render_column function in modules/data-table/widgets/data-table.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.8
(semver)
|
Credits
Ankit Patel
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8902",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T13:21:08.946941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T13:21:27.257Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ankit Patel"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.8 via the render_column function in modules/data-table/widgets/data-table.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:00:52.509Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7317ecf5-d43d-4080-ad2a-7644764dd41e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3163899/addon-elements-for-elementor-page-builder"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-17T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-10-11T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.8 - Authenticated (Contributor+) Sensitive Information Exposure via table_saved_sections"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8902",
"datePublished": "2024-10-12T09:39:16.937Z",
"dateReserved": "2024-09-16T19:17:20.023Z",
"dateUpdated": "2026-04-08T17:00:52.509Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-47366 (GCVE-0-2024-47366)
Vulnerability from cvelistv5 – Published: 2024-10-06 09:45 – Updated: 2026-04-01 15:35
VLAI?
Title
WordPress Elementor Addon Elements plugin <= 1.13.6 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Stored XSS.This issue affects Elementor Addon Elements: from n/a through <= 1.13.6.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPVibes | Elementor Addon Elements |
Affected:
0 , ≤ 1.13.6
(custom)
|
Date Public ?
2026-04-01 16:27
Credits
João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47366",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T15:28:52.653091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T15:29:01.169Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "addon-elements-for-elementor-page-builder",
"product": "Elementor Addon Elements",
"vendor": "WPVibes",
"versions": [
{
"changes": [
{
"at": "1.13.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.13.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:27:52.020Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Stored XSS.\u003cp\u003eThis issue affects Elementor Addon Elements: from n/a through \u003c= 1.13.6.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Stored XSS.This issue affects Elementor Addon Elements: from n/a through \u003c= 1.13.6."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:35:27.654Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/addon-elements-for-elementor-page-builder/vulnerability/wordpress-elementor-addon-elements-plugin-1-13-6-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Elementor Addon Elements plugin \u003c= 1.13.6 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-47366",
"datePublished": "2024-10-06T09:45:18.525Z",
"dateReserved": "2024-09-24T13:01:29.907Z",
"dateUpdated": "2026-04-01T15:35:27.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-7122 (GCVE-0-2024-7122)
Vulnerability from cvelistv5 – Published: 2024-08-30 09:29 – Updated: 2026-04-08 16:57
VLAI?
Title
Elementor Addon Elements <= 1.13.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.13.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.6
(semver)
|
Credits
Craig Smith
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7122",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T13:26:26.401021Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T13:26:42.104Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.13.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:57:59.845Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/668621b0-67ef-44fc-a126-e8c4e372666e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/assets/js/eae.js#L568"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/text-separator/widgets/text-separator.php#L570"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/animated-gradient/module.php#L160"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/image-compare/widgets/image-compare.php#L537"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/dual-button/widgets/dual-button.php#L1045"
},
{
"url": "https://wordpress.org/plugins/addon-elements-for-elementor-page-builder/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3143440/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3143444/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-29T20:31:53.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7122",
"datePublished": "2024-08-30T09:29:48.121Z",
"dateReserved": "2024-07-25T23:37:22.599Z",
"dateUpdated": "2026-04-08T16:57:59.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4401 (GCVE-0-2024-4401)
Vulnerability from cvelistv5 – Published: 2024-08-30 03:24 – Updated: 2026-04-08 17:31
VLAI?
Title
Elementor Addon Elements <= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via id and eae_slider_animation Parameters
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ and 'eae_slider_animation' parameters in all versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.5
(semver)
|
Credits
Matthew Rollings
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4401",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T14:00:53.871092Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T14:06:23.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthew Rollings"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018id\u2019 and \u0027eae_slider_animation\u0027 parameters in all versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:31:29.748Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ecfc1466-41d2-498b-8210-c67e8550f5b8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/animated-text/widgets/animated-text.php#L358"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/bg-slider/module.php#L284"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3107074#file6"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3107074#file7"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-29T14:38:46.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via id and eae_slider_animation Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4401",
"datePublished": "2024-08-30T03:24:16.982Z",
"dateReserved": "2024-05-01T19:15:06.673Z",
"dateUpdated": "2026-04-08T17:31:29.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4570 (GCVE-0-2024-4570)
Vulnerability from cvelistv5 – Published: 2024-06-27 04:04 – Updated: 2026-04-08 17:14
VLAI?
Title
Elementor Addon Elements <= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.5
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4570",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-27T13:15:26.577270Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T13:15:41.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:47:40.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab5f43c0-83d3-4d09-becd-a3552bebd609?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13.4/classes/helper.php#L232"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3107074/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018url\u2019 parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:14:34.805Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab5f43c0-83d3-4d09-becd-a3552bebd609?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13.4/classes/helper.php#L232"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3107074/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-26T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4570",
"datePublished": "2024-06-27T04:04:32.934Z",
"dateReserved": "2024-05-06T19:59:19.702Z",
"dateUpdated": "2026-04-08T17:14:34.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4569 (GCVE-0-2024-4569)
Vulnerability from cvelistv5 – Published: 2024-06-27 04:04 – Updated: 2026-04-08 16:57
VLAI?
Title
Elementor Addon Elements <= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.5
(semver)
|
Credits
Ngô Thiên An
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4569",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-27T17:26:41.805487Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T17:26:48.123Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:47:40.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/63ef7383-d684-473b-aa0f-45027ef245f6?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/modal-popup/widgets/modal-popup.php#L1060"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3107074/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ng\u00f4 Thi\u00ean An"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018url\u2019 parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:57:26.743Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/63ef7383-d684-473b-aa0f-45027ef245f6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/modal-popup/widgets/modal-popup.php#L1060"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3107074/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-26T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4569",
"datePublished": "2024-06-27T04:04:32.280Z",
"dateReserved": "2024-05-06T19:59:12.783Z",
"dateUpdated": "2026-04-08T16:57:26.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2092 (GCVE-0-2024-2092)
Vulnerability from cvelistv5 – Published: 2024-06-12 09:33 – Updated: 2026-04-08 16:58
VLAI?
Title
Elementor Addon Elements <= 1.13.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Widget
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Twitter Widget in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.3
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2092",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-12T19:28:34.326994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T19:28:39.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:38.915Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/67790c0b-c078-4955-a175-977a695392fc?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/twitter/widgets/twitter.php#L712"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3077362%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026old=3058768%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s Twitter Widget in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:58:14.052Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/67790c0b-c078-4955-a175-977a695392fc?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/twitter/widgets/twitter.php#L712"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3077362%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026old=3058768%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-11T20:53:36.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Widget"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2092",
"datePublished": "2024-06-12T09:33:12.508Z",
"dateReserved": "2024-03-01T15:27:37.269Z",
"dateUpdated": "2026-04-08T16:58:14.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-3743 (GCVE-0-2024-3743)
Vulnerability from cvelistv5 – Published: 2024-05-02 16:52 – Updated: 2026-04-08 17:32
VLAI?
Title
Elementor Addon Elements <= 1.13.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Stack Group, Shape Separator, Content Switcher, Info Circle and Timeline widgets in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.3
(semver)
|
Credits
Matthew Rollings
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-02T20:16:06.291297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:31:44.931Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:20:01.037Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f36fea15-0475-45ee-b913-790db6373aef?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/bg-slider/module.php#L269"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/shape-separator/shapes/triangle-bottom-right.php#L1"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/content-switcher/skins/skin-3.php#L43"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/info-circle/skins/skin-base.php#L154"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/timeline/skins/skin-base.php#L1363"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3078419%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026old=3077362%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthew Rollings"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Stack Group, Shape Separator, Content Switcher, Info Circle and Timeline widgets in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:32:53.417Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f36fea15-0475-45ee-b913-790db6373aef?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/bg-slider/module.php#L269"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/shape-separator/shapes/triangle-bottom-right.php#L1"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/content-switcher/skins/skin-3.php#L43"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/info-circle/skins/skin-base.php#L154"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/timeline/skins/skin-base.php#L1363"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3078419%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026old=3077362%40addon-elements-for-elementor-page-builder%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-29T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.3 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3743",
"datePublished": "2024-05-02T16:52:50.968Z",
"dateReserved": "2024-04-12T19:53:27.335Z",
"dateUpdated": "2026-04-08T17:32:53.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2792 (GCVE-0-2024-2792)
Vulnerability from cvelistv5 – Published: 2024-04-09 18:59 – Updated: 2026-04-08 17:27
VLAI?
Title
Elementor Addon Elements <= 1.13.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'Text Separator' and 'Image Compare' Widget
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widgets in all versions up to, and including, 1.13.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.2
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2792",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T18:48:27.573657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T18:48:34.905Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:41.838Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dcc5a611-23bf-499e-8141-684458d9ce3b?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13#modules/image-compare/widgets"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/image-compare/widgets/image-compare.php#L508"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/image-compare/widgets/image-compare.php#L521"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3058768%40addon-elements-for-elementor-page-builder\u0026new=3058768%40addon-elements-for-elementor-page-builder\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widgets in all versions up to, and including, 1.13.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:27:53.356Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dcc5a611-23bf-499e-8141-684458d9ce3b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13#modules/image-compare/widgets"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/image-compare/widgets/image-compare.php#L508"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/image-compare/widgets/image-compare.php#L521"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3058768%40addon-elements-for-elementor-page-builder\u0026new=3058768%40addon-elements-for-elementor-page-builder\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-27T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via \u0027Text Separator\u0027 and \u0027Image Compare\u0027 Widget"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2792",
"datePublished": "2024-04-09T18:59:27.627Z",
"dateReserved": "2024-03-21T17:23:37.571Z",
"dateUpdated": "2026-04-08T17:27:53.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-30422 (GCVE-0-2024-30422)
Vulnerability from cvelistv5 – Published: 2024-03-28 09:03 – Updated: 2026-04-01 15:33
VLAI?
Title
WordPress Elementor Addon Elements plugin <= 1.13.1 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder.This issue affects Elementor Addon Elements: from n/a through <= 1.13.1.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPVibes | Elementor Addon Elements |
Affected:
0 , ≤ 1.13.1
(custom)
|
Date Public ?
2026-04-01 16:24
Credits
Abu Hurayra | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T18:40:08.962347Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:39:48.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:32:07.358Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/addon-elements-for-elementor-page-builder/wordpress-elementor-addon-elements-plugin-1-13-1-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "addon-elements-for-elementor-page-builder",
"product": "Elementor Addon Elements",
"vendor": "WPVibes",
"versions": [
{
"changes": [
{
"at": "1.13.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.13.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abu Hurayra | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:24:07.018Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder.\u003cp\u003eThis issue affects Elementor Addon Elements: from n/a through \u003c= 1.13.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder.This issue affects Elementor Addon Elements: from n/a through \u003c= 1.13.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:33:51.987Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/addon-elements-for-elementor-page-builder/vulnerability/wordpress-elementor-addon-elements-plugin-1-13-1-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Elementor Addon Elements plugin \u003c= 1.13.1 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-30422",
"datePublished": "2024-03-28T09:03:35.902Z",
"dateReserved": "2024-03-27T05:57:07.765Z",
"dateUpdated": "2026-04-01T15:33:51.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2091 (GCVE-0-2024-2091)
Vulnerability from cvelistv5 – Published: 2024-03-28 02:37 – Updated: 2026-04-08 16:37
VLAI?
Title
Elementor Addon Elements <= 1.13.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 1.13.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpvibes | Addon Elements for Elementor (formerly Elementor Addon Elements) |
Affected:
0 , ≤ 1.13.2
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T15:52:01.173162Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:29.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:38.929Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18e2e0e5-495f-4f55-b7d8-94193fc2ad12?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/comparison-table/widgets/comparison-table.php#L2076"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3055134%40addon-elements-for-elementor-page-builder\u0026new=3055134%40addon-elements-for-elementor-page-builder\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Addon Elements for Elementor (formerly Elementor Addon Elements)",
"vendor": "wpvibes",
"versions": [
{
"lessThanOrEqual": "1.13.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s widgets in all versions up to, and including, 1.13.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:37:44.225Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18e2e0e5-495f-4f55-b7d8-94193fc2ad12?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.13/modules/comparison-table/widgets/comparison-table.php#L2076"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3055134%40addon-elements-for-elementor-page-builder\u0026new=3055134%40addon-elements-for-elementor-page-builder\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3058768%40addon-elements-for-elementor-page-builder\u0026new=3058768%40addon-elements-for-elementor-page-builder\u0026sfp_email=\u0026sfph_mail=#file7"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-27T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Addon Elements \u003c= 1.13.2 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2091",
"datePublished": "2024-03-28T02:37:10.749Z",
"dateReserved": "2024-03-01T15:25:28.049Z",
"dateUpdated": "2026-04-08T16:37:44.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-29107 (GCVE-0-2024-29107)
Vulnerability from cvelistv5 – Published: 2024-03-19 15:35 – Updated: 2024-08-02 01:03
VLAI?
Title
WordPress Elementor Addon Elements plugin <= 1.12.10 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPVibes Elementor Addon Elements allows Stored XSS.This issue affects Elementor Addon Elements: from n/a through 1.12.10.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPVibes | Elementor Addon Elements |
Affected:
n/a , ≤ 1.12.10
(custom)
|
Credits
Abu Hurayra (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29107",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-19T19:12:28.690315Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:57:43.282Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.899Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/addon-elements-for-elementor-page-builder/wordpress-elementor-addon-elements-plugin-1-12-10-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "addon-elements-for-elementor-page-builder",
"product": "Elementor Addon Elements",
"vendor": "WPVibes",
"versions": [
{
"changes": [
{
"at": "1.12.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.12.10",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abu Hurayra (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WPVibes Elementor Addon Elements allows Stored XSS.\u003cp\u003eThis issue affects Elementor Addon Elements: from n/a through 1.12.10.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WPVibes Elementor Addon Elements allows Stored XSS.This issue affects Elementor Addon Elements: from n/a through 1.12.10.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-19T15:35:26.557Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/addon-elements-for-elementor-page-builder/wordpress-elementor-addon-elements-plugin-1-12-10-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.12.11 or a higher version."
}
],
"value": "Update to 1.12.11 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Elementor Addon Elements plugin \u003c= 1.12.10 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-29107",
"datePublished": "2024-03-19T15:35:26.557Z",
"dateReserved": "2024-03-15T13:07:52.912Z",
"dateUpdated": "2024-08-02T01:03:51.899Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}