PLUGIN SECURITY
Is Ultimate Addons for Elementor (UAE) safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Ultimate Addons for Elementor (UAE) WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
header-footer-elementor - Requires PHP: 7.4+
- Max supported PHP (analyzed): 8.4
Known vulnerabilities
- Ultimate Addons for Elementor [header-footer-elementor] < 1.5.8 [CVE-2021-24256, Elementor Header & Footer Builder <= 1.5.7 - Stored Cross-Site Scripting, Elementor - Header, Footer & Blocks Template < 1.5.8 - Contributor+ Stored XSS]
- Ultimate Addons for Elementor [header-footer-elementor] < 1.5.8 [WordPress Elementor – Header, Footer & Blocks Template plugin <= 1.5.7 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities]
- Ultimate Addons for Elementor [header-footer-elementor] < 1.6.25 [CVE-2024-1237, Elementor Header & Footer Builder <= 1.6.24 - Authenticated (Contributor+) Stored Cross-Site Scripting, WordPress Elementor – Header, Footer & Blocks Template Plugin <= 1.6.24 is vulnerable to Cross Site Scripting (XSS), Elementor Header & Footer Builder < 1.6.25 - Contributor+ Stored Cross-Site Scripting]
- Ultimate Addons for Elementor [header-footer-elementor] < 1.6.29 [CVE-2024-4634, WordPress Elementor – Header, Footer & Blocks Template Plugin <= 1.6.28 is vulnerable to Cross Site Scripting (XSS), Elementor Header & Footer Builder <= 1.6.28 - Authenticated (Contributor+) Stored Cross-Site Scripting]
- Ultimate Addons for Elementor [header-footer-elementor] < 1.6.27 [CVE-2024-2619, WordPress Elementor – Header, Footer & Blocks Template Plugin <= 1.6.26 is vulnerable to Content Injection, Elementor Header & Footer Builder <= 1.6.26 - Authenticated (Author+) HTML Injection]
+ 9 more known vulnerabilities
- Ultimate Addons for Elementor [header-footer-elementor] < 1.6.26.1 [CVE-2024-2618, Elementor Header & Footer Builder <= 1.6.26 - Authenticated (Contributor+) Stored Cross-Site Scripting, WordPress Elementor – Header, Footer & Blocks Template Plugin <= 1.6.26 is vulnerable to Cross Site Scripting (XSS)]
- Ultimate Addons for Elementor [header-footer-elementor] < 1.6.36 [CVE-2024-5757, WordPress Elementor – Header, Footer & Blocks Template Plugin <= 1.6.35 is vulnerable to Cross Site Scripting (XSS), Elementor Header & Footer Builder <= 1.6.35 - Authenticated (Contributor+) Stored Cross-Site Scripting via Site Title Widget]
- Ultimate Addons for Elementor [header-footer-elementor] < 1.6.36 [CVE-2024-33933, WordPress Elementor – Header, Footer & Blocks Template Plugin <= 1.6.35 is vulnerable to Cross Site Scripting (XSS), Elementor – Header, Footer & Blocks Template <= 1.6.35 - Authenticated (Contributor+) Stored Cross-Site Scripting]
- Ultimate Addons for Elementor [header-footer-elementor] < 1.6.44 [CVE-2024-10050, Elementor Header & Footer Builder <= 1.6.43 - Authenticated (Contributor+) Information Disclosure via Shortcode, WordPress Elementor – Header, Footer & Blocks Template Plugin <= 1.6.43 is vulnerable to Sensitive Data Exposure]
- Ultimate Addons for Elementor [header-footer-elementor] < 1.6.46 [CVE-2024-10325, WordPress Elementor – Header, Footer & Blocks Template Plugin <= 1.6.45 is vulnerable to Cross Site Scripting (XSS), Elementor Header & Footer Builder <= 1.6.45 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload]
- Ultimate Addons for Elementor [header-footer-elementor] < 1.6.47 [CVE-2024-11230, Elementor Header & Footer Builder <= 1.6.46 - Authenticated (Contributor+) Stored Cross-Site Scripting via Page Title Widget, WordPress Elementor – Header, Footer & Blocks Template Plugin <= 1.6.46 is vulnerable to Cross Site Scripting (XSS)]
- Ultimate Addons for Elementor [header-footer-elementor] < 2.4.7 [CVE-2025-8488, Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) <= 2.4.6 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update, EUVD-2025-23431]
- Ultimate Addons for Elementor [header-footer-elementor] < 2.5.0 [CVE-2025-60448, EUVD-2025-32492]
- Ultimate Addons for Elementor [header-footer-elementor] < 2.5.0 [Ultimate Addons for Elementor Lite < 2.5.0 - Author+ Stored XSS, Ultimate Addons for Elementor Lite <= 2.4.9 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- Elementor Website Builder – more than just a page builder — 10000000+ active installs — max PHP 8.4
- Essential Addons for Elementor – Popular Elementor Templates & Widgets — 2000000+ active installs — max PHP 8.4
- Starter Templates – AI-Powered Templates for Elementor & Gutenberg — 1000000+ active installs — max PHP 8.4
- ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor — 1000000+ active installs
- Premium Addons for Elementor – Powerful Elementor Templates & Widgets — 700000+ active installs — max PHP 8.4
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.