CVE-2024-10867 MEDIUM

CVE-2024-10867: Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg <= 1.6.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload

Vendor Visualmodo
Product Borderless – Addons and Templates for Elementor
Weakness CWE-79 · XSS
Published January 31, 2025
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Key dates

02Disclosure timeline

January 31, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-48240 WordPress Cost of Goods for WooCommerce plugin <= 3.7.0 - Cross Site Scripting (XSS) Vulnerability CVE-2026-1127 Timeline Event History <= 3.2 - Reflected Cross-Site Scripting CVE-2023-28525 IBM Engineering Requirements Management cross-site scripting CVE-2024-26036 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2025-26904 WordPress WP Responsive Auto Fit Text plugin <= 0.2 - Cross Site Scripting (XSS) vulnerability