The Elementor Website Builder has it all: drag and drop page builder, pixel perfect design, mobile responsive editing, and more. Get started now!
Elementor Website Builder är ett av de mest populära WordPress-tilläggen med över 10 miljoner aktiva installationer. Det är en kraftfull drag-and-drop sidbyggare som låter användare skapa professionella webbsidor utan kodkunskaper, med pixelperfekt design och mobilanpassad redigering.
Tillägget har totalt 50 dokumenterade sårbarheter, varav 5 klassificeras som kritiska och 4 som högrisk. Den senaste kända sårbarheten upptäcktes i december 2022, vilket tyder på att utvecklarna arbetar aktivt med säkerhetsuppdateringar.
Trots det höga antalet sårbarheter är de flesta (41 stycken) klassade som mediumrisk, vilket innebär att de typiskt kräver specifika omständigheter för att utnyttjas. De kritiska sårbarheterna är mer allvarliga och kan potentiellt ge obehöriga administratörsrättigheter eller möjliggöra kodexekvering.
Som Sitesupport-användare behöver du inte oroa dig överdrivet. Elementors stora användarbas och aktiva utveckling gör att säkerhetsuppdateringar kommer regelbundet. Vi rekommenderar att hålla tillägget uppdaterat, använda starka lösenord och begränsa användarrättigheter.
Regelbundna uppdateringar är det absolut bästa skyddet mot kända sårbarheter – något som våra underhållstjänster säkerställer automatiskt.
Kör ett gratis test och se om din hemsida är påverkad av dessa sårbarheter.
Påverkade versioner: <= 3.33.3
Påverkade versioner: <= 3.33.0
Påverkade versioner: <= 3.30.2
Påverkade versioner: <= 3.30.2
Påverkade versioner: <= 3.29.0
Påverkade versioner: < 7.2.4
The Livemesh Addons for Elementor WordPress plugin before 7.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capab...
Påverkade versioner: <= 3.6.2
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify si...
Påverkade versioner: < 1.8.5
The Master Addons for Elementor WordPress plugin before 1.8.5 does not sanitise and escape the error_message parameter before outputting it back in the response of the jltma_restrict_content AJAX action, available to unauthenticated and authenticated...
Påverkade versioner: <= 5.0.8
The Essential Addons for Elementor Lite WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the settings parameter found in the ~/includes/Traits/Helper.php file which allows attackers to inject arb...
Påverkade versioner: < 5.0.5
The Essential Addons for Elementor WordPress plugin before 5.0.5 does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbit...
Påverkade versioner: < 5.0.7
The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection
Påverkade versioner: < 5.0.7
The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draf...
Påverkade versioner: < 2.6.2
The PowerPack Addons for Elementor WordPress plugin before 2.6.2 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting issue
Påverkade versioner: < 1.6.4
The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.6.4 does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted L...
Påverkade versioner: < 3.1.4
The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue.
Påverkade versioner: <= 2.7.0
On sites that also had the Elementor plugin for WordPress installed, it was possible for users with the edit_posts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-elementor-batch-process AJAX ac...
Påverkade versioner: < 4.1.11
The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on b...
Påverkade versioner: < 4.1.10
The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.10 did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue.
Påverkade versioner: < 4.1.12
The theplus_more_post AJAX action of The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.12 did not properly sanitise some of its fields, leading to a reflected Cross-Site Scripting (exploitable on both unauthenticated and authenti...
Påverkade versioner: < 1.17.0
The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributo...
Påverkade versioner: < 1.1.6
The “Rife Elementor Extensions & Templates” WordPress Plugin before 1.1.6 has a widget that is vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method.
Påverkade versioner: < 2.1.0
The “Clever Addons for Elementor” WordPress Plugin before 2.1.0 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
Påverkade versioner: < 1.30.0
The “Ultimate Addons for Elementor” WordPress Plugin before 1.30.0 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
Påverkade versioner: < 1.5.5.5
The “DeTheme Kit for Elementor” WordPress Plugin before 1.5.5.5 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
Påverkade versioner: < 3.3.12
The “Sina Extension for Elementor” WordPress Plugin before 3.3.12 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
Påverkade versioner: < 1.0.9
The “JetWidgets For Elementor” WordPress Plugin before 1.0.9 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
Påverkade versioner: < 2.3.10
The “All-in-One Addons for Elementor – WidgetKit” WordPress Plugin before 2.3.10 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
Påverkade versioner: < 2.0.6
The “The Plus Addons for Elementor Page Builder Lite” WordPress Plugin before 2.0.6 has four widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
Påverkade versioner: < 1.3.4
The “Image Hover Effects – Elementor Addon” WordPress Plugin before 1.3.4 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
Påverkade versioner: < 2.3.2
The “Elementor Addons – PowerPack Addons for Elementor” WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
Påverkade versioner: < 1.8.6
The “WooLentor – WooCommerce Elementor Addons + Builder” WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
Påverkade versioner: < 1.5.7
The “HT Mega – Absolute Addons for Elementor Page Builder” WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
Påverkade versioner: < 6.8
The “Livemesh Addons for Elementor” WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
Påverkade versioner: < 4.2.8
The “Premium Addons for Elementor” WordPress Plugin before 4.2.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
Påverkade versioner: < 4.5.4
The Essential Addons for Elementor Lite WordPress Plugin before 4.5.4 has two widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, both via a similar method.
Påverkade versioner: < 3.1.4
In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user wi...
Påverkade versioner: < 3.1.4
In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with...
Påverkade versioner: < 3.1.4
In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) accepts a ‘title_html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a use...
Påverkade versioner: < 3.1.4
In the Elementor Website Builder WordPress plugin before 3.1.4, the divider widget (includes/widgets/divider.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Co...
Påverkade versioner: < 3.1.4
In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Co...
Påverkade versioner: < 4.1.7
The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the relate...
Påverkade versioner: < 3.1.4
In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a ‘header_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with...
Påverkade versioner: < 1.6
The Elementor Contact Form DB plugin before 1.6 for WordPress allows CSRF via backend admin pages.
Påverkade versioner: < 3.0.14
The Elementor Website Builder plugin before 3.0.14 for WordPress does not properly restrict SVG uploads.
Påverkade versioner: <= 3.0.5
The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue...
Påverkade versioner: <= 2.9.13
An issue was discovered in the Elementor plugin through 2.9.13 for WordPress. An authenticated attacker can achieve stored XSS via the Name Your Template field.
Påverkade versioner: <= 2.9.5
Elementor 2.9.5 and below WordPress plugin allows authenticated users to activate its safe mode feature. This can be exploited to disable all security plugins on the blog.
Påverkade versioner: < 2.9.9
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom...
Påverkade versioner: < 2.9.9
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
Påverkade versioner: < 2.9.4
An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code...
Påverkade versioner: < 1.24.2
An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if re...
Påverkade versioner: < 2.8.5
The Elementor plugin before 2.8.5 for WordPress suffers from a reflected XSS vulnerability on the elementor-system-info page. These can be exploited by targeting an authenticated user.
Påverkade versioner: < 2.8.4
The Elementor Page Builder plugin before 2.8.4 for WordPress does not sanitize data during creation of a new template.
Påverkade versioner: < 2.0.10
The elementor-edit-template class in wp-admin/customize.php in the Elementor Pro plugin before 2.0.10 for WordPress has XSS.
Påverkade versioner: < 1.8.0
The elementor plugin before 1.8.0 for WordPress has incorrect access control for internal functions.
Sårbarheter i tillägg är den vanligaste attackytan för WordPress-sajter. Det bästa skyddet är att vara proaktiv — här är tre konkreta steg.
De flesta sårbarheter i Elementor Website Builder – More Than Just a Page Builder åtgärdas snabbt av utvecklarna. Uppdatera alltid till senaste versionen.
Varje tillägg är en potentiell attackyta. Avinstallera det du inte aktivt använder.
Med löpande övervakning upptäcker du problem innan de blir allvarliga.
Vill du slippa hålla koll själv? Med ett supportavtal från Sitesupport sköter vi uppdateringar och säkerhet åt dig.
Kör ett gratis test och se hur din sajt presterar inom SEO, säkerhet, prestanda och tillgänglighet — på under en minut.
Testa gratisInget konto krävs