PLUGIN SECURITY
Is Elementor Pro safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Elementor Pro WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
elementor-pro - Requires PHP: 7.4+
Known vulnerabilities
- Elementor Pro [elementor-pro] < 3.0.6 [CVE-2020-26596, Elementor Pro <= 3.0.5 - Authenticated Remote Code Execution in Dynamic OOO Widget]
- Elementor Pro [elementor-pro] < 2.9.4 [CVE-2020-13125]
- Elementor Pro [elementor-pro] < 2.9.4 [CVE-2020-13126, WordPress Elementor Pro premium plugin <= 2.9.3 - Authenticated Arbitrary File Upload vulnerability, Elementor Pro <= 2.9.3 - Authenticated (Subscriber+) Arbitrary File Upload, Elementor Pro < 2.9.4 - Authenticated Arbitrary File Upload]
- Elementor Pro [elementor-pro] < 2.0.10 [CVE-2018-18379, Elementor Pro <= 2.0.9 - Cross-Site Scripting, Elementor Pro < 2.0.10 - XSS]
- Elementor Pro [elementor-pro] < 3.11.7 [Elementor Pro <= 3.11.6 - Authenticated(Subscriber+) Privilege Escalation via update_page_option]
+ 14 more known vulnerabilities
- Elementor Pro [elementor-pro] < 3.11.7 [WordPress Elementor Pro Plugin <= 3.11.6 is vulnerable to Broken Access Control]
- Elementor Pro [elementor-pro] < 3.11.7 [CVE-2023-3124, Elementor Pro < 3.11.7 - Subscriber+ Arbitrary Options Update]
- Elementor Pro [elementor-pro] < 3.13.1 [CVE-2023-35050, WordPress Elementor Pro Plugin <= 3.13.0 is vulnerable to Broken Access Control, Elementor Pro <= 3.13.0 - Missing Authorization]
- Elementor Pro [elementor-pro] < 3.19.3 [CVE-2024-23523, WordPress Elementor Pro Plugin <= 3.19.2 is vulnerable to Sensitive Data Exposure, Elementor Pro <= 3.19.2 - Authenticated (Contributor+) Information Exposure, Elementor Pro < 3.19.3 - Authenticated (Contributor+) Information Exposure]
- Elementor Pro [elementor-pro] < 3.20.2 [CVE-2024-2121, Elementor Website Builder Pro <= 3.20.1 - Authenticated (Contributor+) Stored Cross-Site Scripting, WordPress Elementor Pro Plugin <= 3.20.1 is vulnerable to Cross Site Scripting (XSS), Elementor Website Builder Pro < 3.20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting]
- Elementor Pro [elementor-pro] < 3.20.2 [CVE-2024-2120, Elementor Website Builder Pro <= 3.20.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Navigation, WordPress Elementor Pro Plugin <= 3.20.1 is vulnerable to Cross Site Scripting (XSS), Elementor Website Builder – More than Just a Page Builder < 3.20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Navigation]
- Elementor Pro [elementor-pro] < 3.20.2 [CVE-2024-2781, Elementor Website Builder Pro <= 3.20.1 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via video_html_tag, WordPress Elementor Pro Plugin <= 3.20.1 is vulnerable to Cross Site Scripting (XSS), Elementor Website Builder Pro < 3.20.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via video_html_tag]
- Elementor Pro [elementor-pro] < 3.20.2 [CVE-2024-1364, Elementor Website Builder Pro <= 3.20.1 - Authententicated (Contributor+) Stored Cross-Site Scripting, WordPress Elementor Pro Plugin <= 3.20.1 is vulnerable to Cross Site Scripting (XSS), Elementor Website Builder Pro < 3.20.2 - Authententicated (Contributor+) Stored Cross-Site Scripting]
- Elementor Pro [elementor-pro] < 3.20.2 [CVE-2024-1521, Elementor Website Builder Pro <= 3.20.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Widget SVGZ File Upload, WordPress Elementor Pro Plugin <= 3.20.1 is vulnerable to Cross Site Scripting (XSS), Elementor Website Builder Pro < 3.20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Widget SVGZ File Upload]
- Elementor Pro [elementor-pro] < 3.21.2 [CVE-2024-4107, Elementor Website Builder Pro <= 3.21.0 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting, WordPress Elementor Pro Plugin <= 3.21.0 is vulnerable to Cross Site Scripting (XSS)]
- Elementor Pro [elementor-pro] < 3.21.3 [CVE-2024-35656, WordPress Elementor Pro Plugin <= 3.21.2 is vulnerable to Cross Site Scripting (XSS), Elementor Pro <= 3.21.2 - Reflected Cross-Site Scripting]
- Elementor Pro [elementor-pro] < 3.25.11 [CVE-2024-8494, WordPress Elementor Pro Plugin <= 3.25.10 is vulnerable to Sensitive Data Exposure, Elementor Website Builder Pro – More than Just a Page Builder <= 3.25.10 - Authenticated (Contributor+) Sensitive Information Exposure via Shortcode, EUVD-2024-49647]
- Elementor Pro [elementor-pro] < 3.29.1 [CVE-2025-3076, Elementor Pro <= 3.29.0 - Authenticated (Contributor+) Stored Cross-Site Scripting, EUVD-2025-17620]
- Elementor Pro [elementor-pro] < 3.29.1 [CVE-2024-50555, Elementor Website Builder <= 3.29.0 - Authenticated (Contributor+) Stored Cross-Site Scripting]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- Classic Editor — 9000000+ active installs — max PHP 8.4
- Classic Widgets — 2000000+ active installs — max PHP 8.4
- Advanced Editor Tools — 1000000+ active installs — max PHP 8.4
- Spectra Gutenberg Blocks – Website Builder for the Block Editor — 1000000+ active installs
- User Role Editor — 700000+ active installs — max PHP 8.4
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.