CVE-2024-4107 MEDIUM

CVE-2024-4107: Elementor Website Builder Pro <= 3.21.0 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

Vendor Https://Elementor.com/
Product Elementor Website Builder Pro
Weakness CWE-79 · XSS
Published May 9, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

6.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Elementor Website Builder – More than Just a Page Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in versions up to, and including, 3.21.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Key dates

02Disclosure timeline

May 9, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-41575 th30d4y/IP: DOM-Based Cross-Site Scripting (XSS) Vulnerability CVE-2024-3338 Colibri Page Builder <= 1.0.262 - Authenticated (Author+) Stored Cross-Site Scripting CVE-2023-40681 WordPress Groundhogg Plugin <= 2.7.11.10 is vulnerable to Cross Site Scripting (XSS) CVE-2025-12037 WP 404 Auto Redirect <= 1.0.5 - Authenticated (Admin+) Stored Cross-Site Scripting CVE-2024-9058 Element Pack Elementor Addons <= 5.10.5 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Lightbox Widget