VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 13 known issues Latest disclosed Mar 01, 2026

PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) Vulnerabilities

Review known vulnerability records for the WordPress plugin PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) (`powerpack-lite-for-elementor`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-32430, CVE-2025-8388 and CVE-2025-1512, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
13
High or Critical
0
Patch Coverage
100%
Last Updated
Apr 15, 2026
Priority CVE Quick Links

Fast paths into PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
13
CVE-2026-32430 Medium 2.9.10
CVE-2026-32430 PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) Stored Cross-Site Scripting

PowerPack Addons for Elementor <= 2.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2025-8388 Medium 2.9.5
CVE-2025-8388 PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) Stored Cross-Site Scripting

PowerPack Lite for Elementor <= 2.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting Via 'cursor_url'

CVE-2025-1512 Medium 2.9.1
CVE-2025-1512 PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) Stored Cross-Site Scripting

PowerPack Elementor Addons (Free Widgets, Extensions and Templates) <= 2.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-5787 Medium 2.7.21
CVE-2024-5787 PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) Stored Cross-Site Scripting

PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.20 - Authenticated (Contributor+) Stored Cross-Site Scripting via Link Effects Widget

CVE-2024-5327 Medium 2.7.20
CVE-2024-5327 PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) Stored Cross-Site Scripting

PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.19 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

CVE-2024-2492 Medium 2.7.19
CVE-2024-2492 PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) Stored Cross-Site Scripting

PowerPack Addons for Elementor <= 2.7.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Tweet Widget

CVE-2024-2491 Medium 2.7.18
CVE-2024-2491 PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) Stored Cross-Site Scripting

PowerPack Addons for Elementor <= 2.7.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via *_html_tag*

CVE-2024-1411 Medium 2.7.16
CVE-2024-1411 PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) Stored Cross-Site Scripting

PowerPack Addons for Elementor <= 2.7.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Buttons Widget

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
13 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 0 high severity findings.
Recent CVEs
CVE-2026-32430, CVE-2025-8388 and CVE-2025-1512
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-32430
CVE-2026-32430: PowerPack Addons for Elementor <= 2.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

The PowerPack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.9.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level acce...

Published
Mar 01, 2026
Patched Release
2.9.10
Affected Versions
Versions up to 2.9.9
Next Step
Update to 2.9.10 or newer if supported.
Open CVE-2026-32430 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-8388
CVE-2025-8388: PowerPack Lite for Elementor <= 2.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting Via 'cursor_url'

The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cursor_url’ parameter in all versions up to, and including, 2.9.4 due to insufficient input sanitization and output escaping. This ma...

Published
Sep 09, 2025
Patched Release
2.9.5
Affected Versions
Versions up to 2.9.4
Next Step
Update to 2.9.5 or newer if supported.
Open CVE-2025-8388 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-1512
CVE-2025-1512: PowerPack Elementor Addons (Free Widgets, Extensions and Templates) <= 2.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Cursor Extension in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping. This m...

Published
Mar 31, 2025
Patched Release
2.9.1
Affected Versions
Versions up to 2.9.0
Next Step
Update to 2.9.1 or newer if supported.
Open CVE-2025-1512 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10692
CVE-2024-10692: PowerPack Elementor Addons (Free Widgets, Extensions and Templates) <= 2.8.1 - Authenticated (Contributor+) Post Disclosure

The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.8.1 via the Content Reveal widget due to insufficient restrictions on which posts can be included. This makes...

Published
Dec 05, 2024
Patched Release
2.8.2
Affected Versions
Versions up to 2.8.1
Next Step
Update to 2.8.2 or newer if supported.
Open CVE-2024-10692 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-5787
CVE-2024-5787: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.20 - Authenticated (Contributor+) Stored Cross-Site Scripting via Link Effects Widget

The PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute within the plugin's Link Effects widget in all versions up to, and including, 2.7.20 due to insufficient input san...

Published
Jun 12, 2024
Patched Release
2.7.21
Affected Versions
Versions up to 2.7.20
Next Step
Update to 2.7.21 or newer if supported.
Open CVE-2024-5787 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-5327
CVE-2024-5327: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.19 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

The PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘pp_animated_gradient_bg_color’ parameter in all versions up to, and including, 2.7.19 due to insufficient input sanitiz...

Published
May 29, 2024
Patched Release
2.7.20
Affected Versions
Versions up to 2.7.19
Next Step
Update to 2.7.20 or newer if supported.
Open CVE-2024-5327 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-2492
CVE-2024-2492: PowerPack Addons for Elementor <= 2.7.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Tweet Widget

The PowerPack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Twitter Tweet widget in all versions up to, and including, 2.7.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated atta...

Published
Mar 29, 2024
Patched Release
2.7.19
Affected Versions
Versions up to 2.7.18
Next Step
Update to 2.7.19 or newer if supported.
Open CVE-2024-2492 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-2491
CVE-2024-2491: PowerPack Addons for Elementor <= 2.7.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via *_html_tag*

The PowerPack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the *_html_tag* attribute of multiple widgets in all versions up to, and including, 2.7.17 due to insufficient input sanitization and output escaping. This makes it possible f...

Published
Mar 29, 2024
Patched Release
2.7.18
Affected Versions
Versions up to 2.7.17
Next Step
Update to 2.7.18 or newer if supported.
Open CVE-2024-2491 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-1411
CVE-2024-1411: PowerPack Addons for Elementor <= 2.7.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Buttons Widget

The PowerPack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the settings of the Twitter Buttons Widget in all versions up to, and including, 2.7.15 due to insufficient input sanitization and output escaping. This makes it possible for...

Published
Feb 15, 2024
Patched Release
2.7.16
Affected Versions
Versions up to 2.7.15
Next Step
Update to 2.7.16 or newer if supported.
Open CVE-2024-1411 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-1055
CVE-2024-1055: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

The PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's buttons in all versions up to, and including, 2.7.14 due to insufficient input sanitization and output escaping on user s...

Published
Feb 06, 2024
Patched Release
2.7.15
Affected Versions
Versions up to 2.7.14
Next Step
Update to 2.7.15 or newer if supported.
Open CVE-2024-1055 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-6984
CVE-2023-6984: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.13 - Cross-Site Request Forgery

The PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.13. This is due to missing or incorrect nonce validation in the powerpack-lite-for-elementor/clas...

Published
Jan 02, 2024
Patched Release
2.7.14
Affected Versions
Versions up to 2.7.13
Next Step
Update to 2.7.14 or newer if supported.
Open CVE-2023-6984 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2021-25027
CVE-2021-25027: PowerPack Addons for Elementor <= 2.6.1 - Reflected Cross-Site Scripting

The PowerPack Addons for Elementor WordPress plugin before 2.6.2 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting issue

Published
Dec 06, 2021
Patched Release
2.6.2
Affected Versions
Versions up to 2.6.1
Next Step
Update to 2.6.2 or newer if supported.
Open CVE-2021-25027 Report Open CVE Reference