Which ElementsKit Pro CVEs are tracked?

ElementsKit Pro tracked CVEs include CVE-2024-3500, CVE-2024-4404, CVE-2025-0321, CVE-2024-7064, and CVE-2024-5263.

How many ElementsKit Pro vulnerabilities have patch guidance?

8 of 8 tracked ElementsKit Pro records include a published patch path.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 8 known issues Latest disclosed Jan 27, 2025

ElementsKit Pro Vulnerabilities

Review known vulnerability records for the WordPress plugin ElementsKit Pro (`elementskit`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-0321, CVE-2024-7063 and CVE-2024-7064, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Jan 28, 2025

Priority CVE Quick Links

Fast paths into ElementsKit Pro CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2024-3500 High 3.6.1

CVE-2024-3500 ElementsKit Pro Local File Inclusion

ElementsKit Pro <= 3.6.0 - Authenticated (Contributor+) Local File Inclusion via Price Menu, Hotspot, and Advanced Toggle Widgets

CVE-2024-4404 High 3.6.3

CVE-2024-4404 ElementsKit Pro Server-Side Request Forgery

ElementsKit PRO <= 3.6.1 - Authenticated (Contributor+) Server-Side Request Forgery

CVE-2025-0321 Medium 3.7.9

CVE-2025-0321 ElementsKit Pro Stored Cross-Site Scripting

ElementsKit Pro <= 3.7.8 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via url Parameter

CVE-2024-7064 Medium 3.6.6

CVE-2024-7064 ElementsKit Pro Stored Cross-Site Scripting

ElementsKit Pro <= 3.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-5263 Medium 3.6.3

CVE-2024-5263 ElementsKit Pro Stored Cross-Site Scripting

ElementsKit Elementor addons and Templates Library <= 3.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Motion Text and Table Widgets

CVE-2024-4452 Medium 3.6.2

CVE-2024-4452 ElementsKit Pro Stored Cross-Site Scripting

ElementsKit Pro <= 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-3598 Medium 3.6.1

CVE-2024-3598 ElementsKit Pro Stored Cross-Site Scripting

ElementsKit Pro <= 3.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ekit_btn_id'

CVE-2024-7063 Medium 3.6.7

CVE-2024-7063 ElementsKit Pro Sensitive Information Exposure

ElementsKit Pro <= 3.6.6 - Authenticated (Contributor+) Sensitive Information Exposure

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for ElementsKit Pro so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

8 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

0 critical and 2 high severity findings.

Recent CVEs

CVE-2025-0321, CVE-2024-7063 and CVE-2024-7064

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2025-0321 Medium Patch path listed

CVE-2025-0321: ElementsKit Pro <= 3.7.8 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via url Parameter

The ElementsKit Pro plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.7.8 due to insufficient input...

Published

Jan 27, 2025

Patch Status

3.7.9

Open CVE-2025-0321 Report

CVE-2024-7063 Medium Patch path listed

CVE-2024-7063: ElementsKit Pro <= 3.6.6 - Authenticated (Contributor+) Sensitive Information Exposure

The ElementsKit Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.6 via the 'render_raw' function. This can allow authenticat...

Published

Aug 14, 2024

Patch Status

3.6.7

Open CVE-2024-7063 Report

CVE-2024-7064 Medium Patch path listed

CVE-2024-7064: ElementsKit Pro <= 3.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 3.6.5 due to insufficient input sanitizatio...

Published

Aug 14, 2024

Patch Status

3.6.6

Open CVE-2024-7064 Report

Known Vulnerabilities

Reports for ElementsKit Pro

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-0321

CVE-2025-0321: ElementsKit Pro <= 3.7.8 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via url Parameter

The ElementsKit Pro plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.7.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

Published

Jan 27, 2025

Patched Release

3.7.9

Affected Versions

Versions up to 3.7.8

Next Step

Update to 3.7.9 or newer if supported.

Open CVE-2025-0321 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-7063

CVE-2024-7063: ElementsKit Pro <= 3.6.6 - Authenticated (Contributor+) Sensitive Information Exposure

The ElementsKit Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.6 via the 'render_raw' function. This can allow authenticated attackers, with Contributor-level permissions and above, to extract sensitive data incl...

Published

Aug 14, 2024

Patched Release

3.6.7

Affected Versions

Versions up to 3.6.6

Next Step

Update to 3.6.7 or newer if supported.

Open CVE-2024-7063 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-7064

CVE-2024-7064: ElementsKit Pro <= 3.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributo...

Published

Aug 14, 2024

Patched Release

3.6.6

Affected Versions

Versions up to 3.6.5

Next Step

Update to 3.6.6 or newer if supported.

Open CVE-2024-7064 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-5263

CVE-2024-5263: ElementsKit Elementor addons and Templates Library <= 3.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Motion Text and Table Widgets

The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Motion Text and Table widgets in all versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it p...

Published

Jun 14, 2024

Patched Release

3.6.3

Affected Versions

Versions up to 3.6.2

Next Step

Update to 3.6.3 or newer if supported.

Open CVE-2024-5263 Report Open CVE Reference

Plugin High Patched: Yes CVE-2024-4404

CVE-2024-4404: ElementsKit PRO <= 3.6.1 - Authenticated (Contributor+) Server-Side Request Forgery

The ElementsKit PRO plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.6.2 via the 'render_raw' function. This can allow authenticated attackers, with contributor-level permissions and above, to make web requests to arbitrary loc...

Published

Jun 13, 2024

Patched Release

3.6.3

Affected Versions

Versions up to 3.6.2

Next Step

Update to 3.6.3 or newer if supported.

Open CVE-2024-4404 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-4452

CVE-2024-4452: ElementsKit Pro <= 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-l...

Published

May 20, 2024

Patched Release

3.6.2

Affected Versions

Versions up to 3.6.1

Next Step

Update to 3.6.2 or newer if supported.

Open CVE-2024-4452 Report Open CVE Reference

Plugin High Patched: Yes CVE-2024-3500

CVE-2024-3500: ElementsKit Pro <= 3.6.0 - Authenticated (Contributor+) Local File Inclusion via Price Menu, Hotspot, and Advanced Toggle Widgets

The ElementsKit Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.0 via the Price Menu, Hotspot, and Advanced Toggle widgets. This makes it possible for authenticated attackers, with contributor-level access and above, to inc...

Published

Apr 25, 2024

Patched Release

3.6.1

Affected Versions

Versions up to 3.6.0

Next Step

Update to 3.6.1 or newer if supported.

Open CVE-2024-3500 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-3598

CVE-2024-3598: ElementsKit Pro <= 3.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ekit_btn_id'

The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Creative Button widget in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

Published

Apr 18, 2024

Patched Release

3.6.1

Affected Versions

Versions up to 3.6.0

Next Step

Update to 3.6.1 or newer if supported.

Open CVE-2024-3598 Report Open CVE Reference