Which Xpro Addons — 140+ Widgets for Elementor CVEs are tracked?

Xpro Addons — 140+ Widgets for Elementor tracked CVEs include CVE-2025-69312, CVE-2024-4471, CVE-2025-13368, CVE-2026-2949, and CVE-2025-14149.

How many Xpro Addons — 140+ Widgets for Elementor vulnerabilities have patch guidance?

18 of 18 tracked Xpro Addons — 140+ Widgets for Elementor records include a published patch path.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 18 known issues Latest disclosed Apr 03, 2026

Xpro Addons — 140+ Widgets for Elementor Vulnerabilities

Review known vulnerability records for the WordPress plugin Xpro Addons — 140+ Widgets for Elementor (`xpro-elementor-addons`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-13368, CVE-2026-2949 and CVE-2025-14149, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Apr 04, 2026

Priority CVE Quick Links

Fast paths into Xpro Addons — 140+ Widgets for Elementor CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2025-69312 High 1.4.20

CVE-2025-69312 Xpro Addons — 140+ Widgets for Elementor Remote Code Execution

Xpro Elementor Addons <= 1.4.19.1 - Authenticated (Author+) Arbitrary File Upload

CVE-2024-4471 High 1.4.3.2

CVE-2024-4471 Xpro Addons — 140+ Widgets for Elementor Vulnerability

140+ Widgets | Best Addons For Elementor – FREE <= 1.4.3.1 - Authenticated (Contributor+) PHP Object Injection

CVE-2025-13368 Medium 1.4.21

CVE-2025-13368 Xpro Addons — 140+ Widgets for Elementor Stored Cross-Site Scripting

Xpro Addons — 140+ Widgets for Elementor <= 1.4.20 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2026-2949 Medium 1.4.25

CVE-2026-2949 Xpro Addons — 140+ Widgets for Elementor Stored Cross-Site Scripting

Xpro Addons — 140+ Widgets for Elementor <= 1.4.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Box Widget

CVE-2025-14149 Medium 1.4.25

CVE-2025-14149 Xpro Addons — 140+ Widgets for Elementor Stored Cross-Site Scripting

Xpro Addons — 140+ Widgets for Elementor <= 1.4.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Scroller Widget box link

CVE-2025-63044 Medium 1.4.20

CVE-2025-63044 Xpro Addons — 140+ Widgets for Elementor Stored Cross-Site Scripting

Xpro Elementor Addons <= 1.4.19.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2025-58195 Medium 1.4.18

CVE-2025-58195 Xpro Addons — 140+ Widgets for Elementor Stored Cross-Site Scripting

Xpro Elementor Addons <= 1.4.17 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2025-32163 Medium 1.4.11

CVE-2025-32163 Xpro Addons — 140+ Widgets for Elementor Stored Cross-Site Scripting

Xpro Elementor Addons <= 1.4.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Xpro Addons — 140+ Widgets for Elementor so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

18 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

0 critical and 2 high severity findings.

Recent CVEs

CVE-2025-13368, CVE-2026-2949 and CVE-2025-14149

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2025-13368 Medium Patch path listed

CVE-2025-13368: Xpro Addons — 140+ Widgets for Elementor <= 1.4.20 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Widget's 'onClick Event' setting in all versions up to, and inc...

Published

Apr 03, 2026

Patch Status

1.4.21

Open CVE-2025-13368 Report

CVE-2026-2949 Medium Patch path listed

CVE-2026-2949: Xpro Addons — 140+ Widgets for Elementor <= 1.4.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Box Widget

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Icon Box widget in versions up to, and including, 1.4.24 due to insuffi...

Published

Apr 03, 2026

Patch Status

1.4.25

Open CVE-2026-2949 Report

CVE-2025-14149 Medium Patch path listed

CVE-2025-14149: Xpro Addons — 140+ Widgets for Elementor <= 1.4.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Scroller Widget box link

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to...

Published

Feb 26, 2026

Patch Status

1.4.25

Open CVE-2025-14149 Report

Known Vulnerabilities

Reports for Xpro Addons — 140+ Widgets for Elementor

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-13368

CVE-2025-13368: Xpro Addons — 140+ Widgets for Elementor <= 1.4.20 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Widget's 'onClick Event' setting in all versions up to, and including, 1.4.20 due to insufficient input sanitization and output escaping. This makes it p...

Published

Apr 03, 2026

Patched Release

1.4.21

Affected Versions

Versions up to 1.4.20

Next Step

Update to 1.4.21 or newer if supported.

Open CVE-2025-13368 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-2949

CVE-2026-2949: Xpro Addons — 140+ Widgets for Elementor <= 1.4.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Box Widget

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Icon Box widget in versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated att...

Published

Apr 03, 2026

Patched Release

1.4.25

Affected Versions

Versions up to 1.4.24

Next Step

Update to 1.4.25 or newer if supported.

Open CVE-2026-2949 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-14149

CVE-2025-14149: Xpro Addons — 140+ Widgets for Elementor <= 1.4.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Scroller Widget box link

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping on user...

Published

Feb 26, 2026

Patched Release

1.4.25

Affected Versions

Versions up to 1.4.24

Next Step

Update to 1.4.25 or newer if supported.

Open CVE-2025-14149 Report Open CVE Reference

Plugin High Patched: Yes CVE-2025-69312

CVE-2025-69312: Xpro Elementor Addons <= 1.4.19.1 - Authenticated (Author+) Arbitrary File Upload

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.4.19.1. This makes it possible for authenticated attackers, with Author-level access and above, to...

Published

Jan 19, 2026

Patched Release

1.4.20

Affected Versions

Versions up to 1.4.19.1

Next Step

Update to 1.4.20 or newer if supported.

Open CVE-2025-69312 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-63044

CVE-2025-63044: Xpro Elementor Addons <= 1.4.19.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Xpro Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.19.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and...

Published

Dec 06, 2025

Patched Release

1.4.20

Affected Versions

Versions up to 1.4.19.1

Next Step

Update to 1.4.20 or newer if supported.

Open CVE-2025-63044 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-58195

CVE-2025-58195: Xpro Elementor Addons <= 1.4.17 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Xpro Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and a...

Published

Aug 27, 2025

Patched Release

1.4.18

Affected Versions

Versions up to 1.4.17

Next Step

Update to 1.4.18 or newer if supported.

Open CVE-2025-58195 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-32163

CVE-2025-32163: Xpro Elementor Addons <= 1.4.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Xpro Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and a...

Published

Apr 04, 2025

Patched Release

1.4.11

Affected Versions

Versions up to 1.4.10

Next Step

Update to 1.4.11 or newer if supported.

Open CVE-2025-32163 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-2108

CVE-2025-2108: 140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Site Title' widget

The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Site Title’ widget's 'title_tag' and 'html_tag' parameters in all versions up to, and including, 1.4.6.8 due to insufficient input sanitization and outpu...

Published

Mar 19, 2025

Patched Release

1.4.8

Affected Versions

Versions up to 1.4.7.1

Next Step

Update to 1.4.8 or newer if supported.

Open CVE-2025-2108 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-13649

CVE-2024-13649: 140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.4.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authentic...

Published

Mar 07, 2025

Patched Release

1.4.6.8

Affected Versions

Versions up to 1.4.6.7

Next Step

Update to 1.4.6.8 or newer if supported.

Open CVE-2024-13649 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-12584

CVE-2024-12584: 140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.6.2 - Authenticated (Contributor+) Post Disclosure via Post Duplication

The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.6.2 via the 'duplicate' function. This makes it possible for authenticated attackers, with Contributor-level access a...

Published

Jan 07, 2025

Patched Release

1.4.6.3

Affected Versions

Versions up to 1.4.6.2

Next Step

Update to 1.4.6.3 or newer if supported.

Open CVE-2024-12584 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-54253

CVE-2024-54253: 140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.4.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

Published

Dec 05, 2024

Patched Release

1.4.6.6

Affected Versions

Versions up to 1.4.6.5

Next Step

Update to 1.4.6.6 or newer if supported.

Open CVE-2024-54253 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-10319

CVE-2024-10319: 140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.6 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template

The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.6 via the render function in widgets/content-toggle/layout/frontend.php. This makes it possible for authenticated att...

Published

Nov 04, 2024

Patched Release

1.4.6.1

Affected Versions

Versions up to 1.4.6

Next Step

Update to 1.4.6.1 or newer if supported.

Open CVE-2024-10319 Report Open CVE Reference