Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Elementor Website Builder elementor allows DOM-Based XSS.This issue affects Elementor Website Builder: from n/a through <= 3.35.5.
Published: 2026-03-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side XSS
Action: Patch Now
AI Analysis

Impact

The vulnerability is a DOM‑Based Cross‑Site Scripting flaw as described in the CVE_DESCRIPTION, classified by CWE‑79. An attacker can inject malicious JavaScript that executes within the victim’s browser when visiting a page that includes the content injected via Elementor. The malicious code can read cookies, hijack sessions, redirect users, or perform other client‑side attacks. The severity is moderate with a CVSS base score of 6.5.

Affected Systems

Affected the Elementor Website Builder plugin for WordPress; all versions up to and including 3.35.5 (inclusive) are vulnerable. No specific sub‑versions are listed, so any deployment using a version ≤3.35.5 should remediate.

Risk and Exploitability

The EPSS score indicates a low likelihood of exploitation (<1%). However, because XSS can provide attackers with a broad range of malicious actions, the risk remains non‑negligible. No entry in the KEV catalog suggests no known public exploits yet, but the moderate CVSS score indicates that, if exploited, the impact could be significant to site visitors. Attack likely occurs when a user with posting rights injects content or when the plugin fails to sanitize input on page generation.

Generated by OpenCVE AI on March 19, 2026 at 14:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Elementor to version 3.35.6 or later.
  • If an update is not immediately possible, temporarily deactivate or uninstall the Elementor plugin until the patch is applied.
  • After updating, verify that no malicious scripts execute and that content displays correctly.
  • Check the plugin’s changelog or vendor notifications to confirm the XSS fix has been implemented.

Generated by OpenCVE AI on March 19, 2026 at 14:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor Website Builder
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor Website Builder
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Elementor Website Builder elementor allows DOM-Based XSS.This issue affects Elementor Website Builder: from n/a through <= 3.35.5.
Title WordPress Elementor Website Builder plugin <= 3.35.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Elementor Elementor Website Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:57.336Z

Reserved: 2026-03-12T11:10:47.068Z

Link: CVE-2026-32352

cve-icon Vulnrichment

Updated: 2026-03-13T19:19:30.050Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:47.260

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:04Z

Weaknesses