WP Clinic
Log in Sign up

PLUGIN SECURITY

Is Elementor safe?

Known vulnerabilities, PHP compatibility and safer alternatives for the Elementor WordPress plugin — checked against WP Clinic's local security database.

Plugin details

  • Slug: elementor
  • Requires PHP: 7.4+
  • Max supported PHP (analyzed): 8.4

Known vulnerabilities

  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.6.3 [CVE-2021-24891, WordPress Elementor Website Builder plugin <= 3.1.3 - DOM Cross-Site Scripting (XSS) vulnerability, Elementor Website Builder <= 3.4.7 - DOM-based Cross-Site Scripting, Elementor &lt; 3.4.8 - DOM Cross-Site-Scripting, EUVD-2021-11803]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.1.4 [CVE-2021-24202, Elementor Website Builder <= 3.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via header_size, Elementor &lt; 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Heading Widget]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.1.4 [CVE-2021-24203, Elementor Website Builder <= 3.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via html_tag, Elementor &lt; 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Divider Widget]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.1.4 [CVE-2021-24204, Elementor Website Builder <= 3.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via title_html_tag, Elementor &lt; 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Accordion Widget]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.1.4 [CVE-2021-24205, Elementor Website Builder <= 3.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via title_size Parameter, Elementor &lt; 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Icon Box Widget]
+ 58 more known vulnerabilities
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.1.4 [CVE-2021-24206, Elementor Website Builder <= 3.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via title_size, Elementor &lt; 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Image Box Widget]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.1.4 [CVE-2021-24201, Elementor Website Builder <= 3.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via html_tag, Elementor &lt; 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Column Element]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.0.14 [CVE-2020-36171, WordPress Elementor Website Builder plugin <= 3.0.13 - Unrestricted SVG Uploads vulnerability, Elementor Website Builder <= 3.0.13 - Unrestricted SVG Uploads, Elementor &lt; 3.0.14 - SVG Upload Allowed by Default]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 2.9.3 [CVE-2020-20406, Elementor Website Builder <= 2.9.2 - Stored Cross-Site Scripting]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 2.9.14 [CVE-2020-15020, WordPress Elementor Website Builder plugin <= 2.9.13 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability, Elementor Website Builder <= 2.9.13 - Authenticated Stored Cross-Site Scripting, Elementor &lt; 2.9.14 - Authenticated Stored Cross-Site Scripting]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 2.9.6 [CVE-2020-20634, Elementor Website Builder <= 2.9.5 - Authorization Bypass, Elementor Page Builder &lt; 2.9.6 - Authenticated Safe Mode Privilege Escalation]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 2.9.9 [CVE-2020-13864, Elementor Website Builder <= 2.9.8 - Stored Cross-Site Scripting]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 2.9.10 [CVE-2020-13865, Elementor Website Builder <= 2.9.8 - Stored Cross-Site Scripting, Elementor Page Builder &lt; 2.9.10 - Authenticated Stored XSS]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 2.8.5 [CVE-2020-8426, WordPress Elementor Page Builder plugin <= 2.8.4 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability, Elementor Website Builder <= 2.8.4 - Reflected Cross-Site Scripting, Elementor Page Builder &lt; 2.8.5 - Authenticated Reflected XSS]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 2.8.4 [CVE-2020-7109, Elementor Website Builder <= 2.8.3 - Cross-Site Scripting, Elementor Page Builder &lt; 2.8.4 - Cross-Site Scripting (XSS)]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 1.8.0 [CVE-2017-18596, Elementor Website Builder <= 1.7.12 - Missing Authorization, Elementor Page Builder &lt;= 1.7.12 - Authenticated Unrestricted Editing]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] >= 3.6.0 - <= 3.6.2 [CVE-2022-1329, WordPress Elementor Website Builder plugin <= 3.6.2 - Arbitrary File Upload vulnerability, Elementor Website Builder 3.6.0 - 3.6.2 - Missing Authorization to Remote Code Execution, wpscan.com]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.1.4 [WordPress Elementor Website Builder plugin <= 3.1.1 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 2.7.6 [WordPress Elementor Page Builder plugin <= 2.7.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 1.8.0 [WordPress Elementor Page Builder <=1.7.12 - Authenticated Unrestricted Editing vulnerability]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 1.8.8 [WordPress Elementor Page Builder <=1.8.7 - Potential Privilege Escalation vulnerability]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.5.6 [CVE-2022-29455, WordPress Elementor plugin <= 3.5.5 - Unauthenticated DOM-based Reflected Cross-Site Scripting (XSS) vulnerability, Elementor Website Builder <= 3.5.5 - Unauthenticated DOM-based Reflected Cross-Site Scripting, Elementor &lt; 3.5.6 - DOM Reflected Cross-Site Scripting]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 2.9.8 [Elementor Website Builder <= 2.9.7 - Authenticated Stored Cross-Site Scripting]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 2.7.6 [Elementor Website Builder <= 2.7.5 - Stored Cross-Site Scripting]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 2.7.5 [CVE-2020-7055, Elementor Website Builder <= 2.7.4 - Arbitrary File Upload, wpscan.com]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 2.9.8 [Elementor &lt; 2.9.8 - SVG Sanitizer Bypass leading to Authenticated Stored XSS]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 2.7.7 [Elementor Page Builder &lt; 2.7.6 - Authenticated Stored XSS]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.12.2 [Elementor <= 3.12.1 - Authenticated(Administrator+) SQL Injection via 'replace_urls']
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.12.2 [WordPress Elementor Website Builder Plugin <= 3.12.1 is vulnerable to SQL Injection]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.13.2 [Elementor <= 3.13.1 - Missing Authorization to Settings Update]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.13.2 [WordPress Elementor Website Builder Plugin <= 3.13.1 is vulnerable to Broken Access Control]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.13.3 [CVE-2023-33922, WordPress Elementor Website Builder Plugin <= 3.13.2 is vulnerable to Broken Access Control, Elementor <= 3.13.2 Authenticated(Contributor+) Arbitrary Post Type Creation via save_item]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.12.2 [CVE-2023-0329, Elementor Website Builder &lt; 3.12.2 - Admin+ SQLi]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 2.9.8 [CVE-2020-36703]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.5.5 [CVE-2022-4953, Elementor <= 3.5.4 - DOM-Based iFrame Injection, Elementor &lt; 3.5.5 - Iframe Injection]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.13.2 [Elementor Website Builder &lt; 3.13.2 - Missing Authorization]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.16.5 [CVE-2023-47505, WordPress Elementor Website Builder Plugin <= 3.16.4 is vulnerable to Cross Site Scripting (XSS), Elementor Website Builder <= 3.16.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via get_inline_svg(), Elementor Website Builder &lt; 3.16.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via get_inline_svg()]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.16.5 [CVE-2023-47504, WordPress Elementor Website Builder Plugin <= 3.16.4 is vulnerable to Broken Access Control, Elementor Website Builder <= 3.16.4 - Missing Authorization to Arbitrary Attachment Read, Elementor Website Builder &lt; 3.16.5 - Missing Authorization to Arbitrary Attachment Read]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.18.2 [CVE-2023-48777, WordPress Elementor Website Builder Plugin 3.3.0-3.18.1 is vulnerable to Arbitrary File Upload, Elementor <= 3.18.1 - Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import, Elementor &lt; 3.18.2 - Contributor+ Arbitrary File Upload to RCE via Template Import]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.19.0 [CVE-2024-0506, Elementor Website Builder – More than Just a Page Builder <= 3.18.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via get_image_alt, WordPress Elementor Website Builder Plugin <= 3.18.3 is vulnerable to Cross Site Scripting (XSS), Elementor Website Builder &ndash; More than Just a Page Builder &lt; 3.19.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via get_image_alt]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.19.1 [CVE-2024-24934, Elementor <= 3.19.0 - Authenticated(Contributor+) Arbitrary File Deletion and PHAR Deserialization, WordPress Elementor Website Builder Plugin <= 3.19.0 is vulnerable to Arbitrary File Deletion, Elementor &lt; 3.19.1 - Authenticated(Contributor+) Arbitrary File Deletion and PHAR Deserialization]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.20.3 [CVE-2024-2117, Elementor Website Builder – More than Just a Page Builder <= 3.20.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Path Widget, WordPress Elementor Website Builder Plugin <= 3.20.2 is vulnerable to Cross Site Scripting (XSS), Elementor Website Builder &lt; 3.20.3 - Contributor+ DOM Stored XSS]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.22.0-beta2 [CVE-2024-4619, WordPress Elementor Website Builder Plugin <= 3.21.4 is vulnerable to Cross Site Scripting (XSS), Elementor Website Builder – More than Just a Page Builder <= 3.21.5 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.22.2 [CVE-2024-37437, WordPress Elementor Website Builder Plugin <= 3.22.1 is vulnerable to Cross Site Scripting (XSS), Elementor Website Builder <= 3.22.1 - Authenticated (Contributor+) Arbitrary SVG Download]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.24.0 [CVE-2024-5416, Elementor Website Builder – More than Just a Page Builder <= 3.23.4 - Authenticated (Contributor+) Stored Cross-Site Scripting in the URL Parameter in Multiple Widgets, WordPress Elementor Website Builder Plugin <= 3.23.4 is vulnerable to Cross Site Scripting (XSS)]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.24.6 [CVE-2024-6757, WordPress Elementor Website Builder Plugin <= 3.24.5 is vulnerable to Sensitive Data Exposure, Elementor <= 3.23.5 - Authenticated (Contributor+) Basic Information Exposure via get_image_alt Function]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.25.8 [CVE-2024-8236, Elementor Website Builder – More than Just a Page Builder <= 3.25.7 - Authenticated (Contributor+) Stored Cross-Site Scripting, WordPress Elementor Website Builder Plugin <= 3.25.7 is vulnerable to Cross Site Scripting (XSS)]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.25.10 [CVE-2024-10453, Elementor Website Builder – More than Just a Page Builder <= 3.25.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typography Settings, WordPress Elementor Website Builder Plugin <= 3.25.9 is vulnerable to Cross Site Scripting (XSS)]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.27.5 [CVE-2024-13445, Elementor Website Builder – More Than Just a Page Builder <= 3.27.4 - Authenticated (Contributor+) Stored Cross-Site Scripting, EUVD-2025-4628]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.25.11 [CVE-2024-54444, Elementor Website Builder <= 3.25.10 - Authenticated (Contributor+) Stored Cross-Site Scripting, EUVD-2024-53932]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.29.1 [CVE-2024-50555, Elementor Website Builder <= 3.29.0 - Authenticated (Contributor+) Stored Cross-Site Scripting]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.30.3 [CVE-2025-4566, Elementor <= 3.30.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Text Path Widget, EUVD-2025-22965]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.29.1 [CVE-2025-3075, Elementor <= 3.29.0 - Authenticated (Contributor+) Stored Cross-Site Scripting, EUVD-2025-22966]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.30.3 [CVE-2025-8081, Elementor <= 3.30.2 - Authenticated (Administrator+) Arbitrary File Read via Image Import, EUVD-2025-24220]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.33.1 [CVE-2025-67588, Elementor Website Builder <= 3.33.0 - Missing Authorization]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.33.4 [CVE-2025-11220, Elementor <= 3.33.3 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Text Path]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.35.6 [CVE-2026-32445, Elementor Website Builder <= 3.35.5 - Missing Authorization]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.35.6 [CVE-2026-32352, Elementor Website Builder <= 3.35.5 - Authenticated (Contributor+) Stored Cross-Site Scripting]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.35.8 [CVE-2026-1206, Elementor Website Builder <= 3.35.7 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 3.35.6 [CVE-2025-14732, Elementor Website Builder <= 3.35.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 4.0.5 [CVE-2026-6127, Elementor Website Builder <= 4.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 4.1.1 [CVE-2026-49782, Elementor Website Builder – more than just a page builder <= 4.1.0 - Missing Authorization]
  • Elementor Website Builder &#8211; more than just a page builder [elementor] < 4.1.4 [CVE-2026-57619, Elementor Website Builder – more than just a page builder <= 4.1.3 - Authenticated (Contributor+) Sensitive Information Exposure]

Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.

Safer / more established alternatives

Check your own WordPress site

Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.