Description
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_text’ parameter in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-10
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Elementor Website Builder Pro plugin for WordPress contains a stored cross-site scripting flaw caused by inadequate sanitization of the ‘button_text’ field. Authenticated users with Contributor level access or higher can inject arbitrary JavaScript that will be persisted in the database and executed whenever a site visitor loads the affected page. The flaw is limited to the execution of injected scripts within the context of the victim’s browser and does not provide attackers with direct server‑side privileges or data exposure beyond what the script can obtain client‑side.

Affected Systems

All releases of the Elementor Website Builder Pro plugin for WordPress up to and including version 3.29.0 are affected. Users running these versions are vulnerable regardless of site configuration or additional plugins, as the flaw resides in the core handling of the button_text parameter.

Risk and Exploitability

The vulnerability receives a CVSS score of 6.4, indicating moderate severity. Its EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild at this time. The flaw is not catalogued in the CISA KEV list. Attackers must first authenticate with Contributor privileges or higher, then modify the button_text field to store malicious JavaScript. Once stored, the script executes for any visitor to the page, creating a risk that is limited to those who access the injected content.

Generated by OpenCVE AI on April 28, 2026 at 01:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Elementor Pro to version 3.30.0 or later to remove the stored XSS vulnerability.
  • Limit Contributor‑level permissions to only trusted users or eliminate the role where it is not required.
  • If an upgrade is not immediately possible, implement a sanitization routine that cleans the button_text field before it is rendered on the page.

Generated by OpenCVE AI on April 28, 2026 at 01:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17620 The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_text’ parameter in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

 epss

{'score': 0.00034}

Fri, 11 Jul 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor Page Builder
CPEs cpe:2.3:a:elementor:elementor_page_builder:*:*:*:*:pro:wordpress:*:*
Vendors & Products Elementor
Elementor elementor Page Builder

Tue, 10 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Jun 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_text’ parameter in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Elementor Pro <= 3.29.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Elementor Elementor Page Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:04.765Z

Reserved: 2025-03-31T23:12:50.027Z

Link: CVE-2025-3076

cve-icon Vulnrichment

Updated: 2025-06-10T14:43:25.172Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-10T05:15:22.503

Modified: 2025-07-11T17:03:28.547

Link: CVE-2025-3076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:30:17Z

Weaknesses