VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 10 known issues Latest disclosed Dec 12, 2025

All-in-One Addons for Elementor – WidgetKit Vulnerabilities

Review known vulnerability records for the WordPress plugin All-in-One Addons for Elementor – WidgetKit (`widgetkit-for-elementor`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-8779, CVE-2025-2330 and CVE-2025-49074, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
10
High or Critical
0
Patch Coverage
100%
Last Updated
Dec 13, 2025
Priority CVE Quick Links

Fast paths into All-in-One Addons for Elementor – WidgetKit CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
10
CVE-2025-8779 Medium 2.5.7
CVE-2025-8779 All-in-One Addons for Elementor – WidgetKit Stored Cross-Site Scripting

All-in-One Addons for Elementor – WidgetKit <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team and Countdown Widgets

CVE-2025-2330 Medium 2.5.5
CVE-2025-2330 All-in-One Addons for Elementor – WidgetKit Stored Cross-Site Scripting

All-in-One Addons for Elementor – WidgetKit <= 2.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via button+modal Widget

CVE-2025-49074 Medium 2.5.5
CVE-2025-49074 All-in-One Addons for Elementor – WidgetKit Stored Cross-Site Scripting

WidgetKit <= 2.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-37428 Medium 2.5.1
CVE-2024-37428 All-in-One Addons for Elementor – WidgetKit Stored Cross-Site Scripting

WidgetKit <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-34548 Medium 2.5.0
CVE-2024-34548 All-in-One Addons for Elementor – WidgetKit Stored Cross-Site Scripting

All-in-One Addons for Elementor – WidgetKit <= 2.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-2137 Medium No patch listed
CVE-2024-2137 All-in-One Addons for Elementor – WidgetKit Stored Cross-Site Scripting

All-in-One Addons for Elementor – WidgetKit <= 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Widgets

CVE-2021-24267 Medium 2.3.10
CVE-2021-24267 All-in-One Addons for Elementor – WidgetKit Stored Cross-Site Scripting

All-in-One Addons for Elementor - WidgetKit <= 2.3.9 - Contributor+ Stored Cross-Site Scripting

CVE-2022-4256 Medium 2.4.4
CVE-2022-4256 All-in-One Addons for Elementor – WidgetKit Stored Cross-Site Scripting

All-in-One Addons for Elementor - WidgetKit <= 2.4.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for All-in-One Addons for Elementor – WidgetKit so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
10 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 0 high severity findings.
Recent CVEs
CVE-2025-8779, CVE-2025-2330 and CVE-2025-49074
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for All-in-One Addons for Elementor – WidgetKit

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-8779
CVE-2025-8779: All-in-One Addons for Elementor – WidgetKit <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team and Countdown Widgets

The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Team and Countdown widgets in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping on user supplied at...

Published
Dec 12, 2025
Patched Release
2.5.7
Affected Versions
Versions up to 2.5.6
Next Step
Update to 2.5.7 or newer if supported.
Open CVE-2025-8779 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-2330
CVE-2025-2330: All-in-One Addons for Elementor – WidgetKit <= 2.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via button+modal Widget

The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button+modal' widget in all versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping on user supplied attribu...

Published
Jul 01, 2025
Patched Release
2.5.5
Affected Versions
Versions up to 2.5.4
Next Step
Update to 2.5.5 or newer if supported.
Open CVE-2025-2330 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-49074
CVE-2025-49074: WidgetKit <= 2.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inje...

Published
May 30, 2025
Patched Release
2.5.5
Affected Versions
Versions up to 2.5.4
Next Step
Update to 2.5.5 or newer if supported.
Open CVE-2025-49074 Report Open CVE Reference
Plugin Medium Patched: No CVE-2024-10321
CVE-2024-10321: All-in-One Addons for Elementor – WidgetKit <= 2.5.5 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates

The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.5 in elements/advanced-tab/template/view.php. This makes it possible for authenticated attackers, with Contributor-level...

Published
Mar 07, 2025
Patched Release
Not published
Affected Versions
Versions up to 2.5.5
Next Step
Open the full report for remediation notes and references.
Open CVE-2024-10321 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-37428
CVE-2024-37428: WidgetKit <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inje...

Published
Jun 28, 2024
Patched Release
2.5.1
Affected Versions
Versions up to 2.5.0
Next Step
Update to 2.5.1 or newer if supported.
Open CVE-2024-37428 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-34548
CVE-2024-34548: All-in-One Addons for Elementor – WidgetKit <= 2.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authent...

Published
May 07, 2024
Patched Release
2.5.0
Affected Versions
Versions up to 2.4.8
Next Step
Update to 2.5.0 or newer if supported.
Open CVE-2024-34548 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-33908
CVE-2024-33908: WidgetKit <= 2.5.4 - Missing Authorization to Notice Dismissal

The WidgetKit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wk_td_ads_dismiss_notice() function in versions up to, and including, 2.5.4. This makes it possible for unauthenticated attackers to dismiss notices.

Published
Apr 29, 2024
Patched Release
2.5.5
Affected Versions
Versions up to 2.5.4
Next Step
Update to 2.5.5 or newer if supported.
Open CVE-2024-33908 Report Open CVE Reference
Plugin Medium Patched: No CVE-2024-2137
CVE-2024-2137: All-in-One Addons for Elementor – WidgetKit <= 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Widgets

The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple pricing widgets (e.g. Pricing Single, Pricing Icon, Pricing Tab) in all versions up to, and including, 2.5.1 due to insufficient input sanitization and o...

Published
Apr 11, 2024
Patched Release
Not published
Affected Versions
Versions up to 2.5.1
Next Step
Open the full report for remediation notes and references.
Open CVE-2024-2137 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-4256
CVE-2022-4256: All-in-One Addons for Elementor - WidgetKit <= 2.4.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

The All-in-One Addons for Elementor - WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings in versions up to, and including, 2.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

Published
Dec 06, 2022
Patched Release
2.4.4
Affected Versions
Versions up to 2.4.3
Next Step
Update to 2.4.4 or newer if supported.
Open CVE-2022-4256 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2021-24267
CVE-2021-24267: All-in-One Addons for Elementor - WidgetKit <= 2.3.9 - Contributor+ Stored Cross-Site Scripting

The “All-in-One Addons for Elementor – WidgetKit” WordPress Plugin before 2.3.10 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.

Published
Apr 13, 2021
Patched Release
2.3.10
Affected Versions
Versions before 2.3.10
Next Step
Update to 2.3.10 or newer if supported.
Open CVE-2021-24267 Report Open CVE Reference