VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 37 known issues Latest disclosed Apr 07, 2026

Element Pack – Widgets, Templates & Addons for Elementor Vulnerabilities

Review known vulnerability records for the WordPress plugin Element Pack – Widgets, Templates & Addons for Elementor (`bdthemes-element-pack-lite`), including severity, CVE references, affected versions, and patch status.

View on WordPress.org Back to Feed
Known Records
37
High or Critical
1
Linked CVEs
37
Last Updated
Apr 07, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Element Pack – Widgets, Templates & Addons for Elementor so operators can quickly confirm whether a disclosed issue maps to the installed slug and version range.

Patch Visibility
37 records include a published patch path.
Severity Mix
1 critical and 0 high severity findings.
Reference Workflow
Jump from the hub into the full report when you need remediation notes, CVSS vector details, or source references.
Known Vulnerabilities

Reports for Element Pack – Widgets, Templates & Addons for Elementor

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-4655
Element Pack Addons for Elementor <= 8.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Image Widget

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG Image Widget in versions up to and including 8.4.2. This is due to insufficient input sanitization and output escaping on SVG content fetched from remote URLs in th...

Published
Apr 07, 2026
Patched Release
8.5.0
Affected Versions
Versions up to 8.4.2
Next Step
Update to 8.5.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-1793
Element Pack Addons for Elementor <= 8.3.17 - Authenticated (Contributor+) Arbitrary File Read

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 8.3.17 via the SVG widget and a lack of sufficient file validation in the 'render_svg' function. This makes it possible for authenticated attacke...

Published
Feb 14, 2026
Patched Release
8.3.18
Affected Versions
Versions up to 8.3.17
Next Step
Update to 8.3.18 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-31413
Element Pack Elementor Addons <= 8.3.13 - Cross-Site Request Forgery

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.3.13. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform...

Published
Jan 16, 2026
Patched Release
8.3.14
Affected Versions
Versions up to 8.3.13
Next Step
Update to 8.3.14 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-13196
Element Pack Addons for Elementor <= 8.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Open Street Map widget

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Open Street Map widget's marker content parameter in all versions up to, and including, 8.3.4. This is due to insufficient input sanitization and output escaping on use...

Published
Nov 17, 2025
Patched Release
8.3.5
Affected Versions
Versions up to 8.3.4
Next Step
Update to 8.3.5 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-11536
Element Pack Addons for Elementor <= 8.2.5 - Authenticated (Subscriber+) Blind Server-Side Request Forgery

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 8.2.5 via the wp_ajax_import_elementor_template action. This makes it possible for authenticated attackers, with Subscriber-level ac...

Published
Oct 20, 2025
Patched Release
8.2.6
Affected Versions
Versions up to 8.2.5
Next Step
Update to 8.2.6 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-8100
Element Pack Elementor Addons and Templates <= 8.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Open Street Map Widget Marker Content

The Element Pack Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content' parameter in versions up to, and including, 8.1.5 due to insufficient input sanitization and output escaping. This makes it possible for auth...

Published
Aug 05, 2025
Patched Release
8.1.6
Affected Versions
Versions up to 8.1.5
Next Step
Update to 8.1.6 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-5944
Element Pack Addons for Elementor <= 8.0.0 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via data-caption Attribute

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-caption’ attribute in all versions up to, and including, 8.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

Published
Jul 02, 2025
Patched Release
8.1.0
Affected Versions
8.0.0 through 8.0.0
Next Step
Update to 8.1.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-5292
Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder <= 5.11.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

The Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content’ parameter in all versions up to, and including, 5.11.2 due to ins...

Published
May 30, 2025
Patched Release
5.11.3
Affected Versions
Versions up to 5.11.2
Next Step
Update to 5.11.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-1458
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) <= 5.10.29 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Element Pack Addons for Elementor – Free Templates and Widgets for Your WordPress Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets like Dual Button, Creative Button, Image Stack and more in all versions up to, and including, 5.10....

Published
Apr 25, 2025
Patched Release
5.10.30
Affected Versions
Versions up to 5.10.29
Next Step
Update to 5.10.30 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-1457
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) <= 5.10.28 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

The Element Pack Addons for Elementor – Free Templates and Widgets for Your WordPress Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Wrapper Link, Countdown and Gallery widgets in all versions up to, and including, 5.10.28 due to insufficient i...

Published
Apr 18, 2025
Patched Release
5.10.29
Affected Versions
Versions up to 5.10.28
Next Step
Update to 5.10.29 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-12851
Element Pack Lite - Addons for Elementor <= 5.10.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom_attributes parameter of the Cookie Consent Widget in all versions up to, and including, 5...

Published
Jan 07, 2025
Patched Release
5.10.15
Affected Versions
Versions up to 5.10.14
Next Step
Update to 5.10.15 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-11852
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.10.12 - Missing Authorization

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_layouts() function in all versions up to, and including, 5....

Published
Dec 21, 2024
Patched Release
5.10.13
Affected Versions
Versions up to 5.10.12
Next Step
Update to 5.10.13 or newer if supported.
Open Full Report Open CVE Reference