Description
Contributor Sensitive Data Exposure in Elementor Website Builder <= 4.1.3 versions.
Published: 2026-06-25
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in Elementor Website Builder plugin versions up to 4.1.3, allowing users to access sensitive data that should be protected. This flaw is classified as CWE-862, indicating an authorization weakness where information that ought to be restricted is exposed. If exploited, attackers could read personal or confidential data stored or managed by the plugin, compromising confidentiality and potentially violating regulatory requirements.

Affected Systems

The affected systems are WordPress sites that include the Elementor Website Builder plugin with a version equal to or below 4.1.3. The plugin is distributed under the vendor Elementor, and any WordPress installation using these legacy versions is susceptible until the plugin is updated.

Risk and Exploitability

The CVSS score of 6.5 places this vulnerability in the medium severity range, indicating a non-negligible risk. The EPSS score is not available, so the current likelihood of exploitation is unclear; however, because the vulnerability involves sensitive data exposure and the plugin is widely used, there could be a moderate exploitation probability. The system is not listed in the CISA KEV catalog. The attack vector is not specified in the CVE data; therefore, the exact conditions required for exploitation remain unspecified.

Generated by OpenCVE AI on June 25, 2026 at 16:21 UTC.

Remediation

Vendor Solution

Update the WordPress Elementor Website Builder Plugin to the latest available version (at least 4.1.4).

OpenCVE Recommended Actions

  • Upgrade the Elementor Website Builder plugin to version 4.1.4 or later.
  • Limit access to the Elementor editor to only users with appropriate roles, ensuring that only authorized personnel can interact with sensitive data.
  • Regularly audit the site for unintended data exposure and monitor logs for any anomalous access patterns.

Generated by OpenCVE AI on June 25, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor Website Builder
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor Website Builder
Wordpress
Wordpress wordpress

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Contributor Sensitive Data Exposure in Elementor Website Builder <= 4.1.3 versions.
Title WordPress Elementor Website Builder plugin <= 4.1.3 - Sensitive Data Exposure vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Elementor Elementor Website Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-25T14:02:14.879Z

Reserved: 2026-06-25T08:03:02.838Z

Link: CVE-2026-57619

cve-icon Vulnrichment

Updated: 2026-06-25T14:02:11.961Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T23:45:04Z

Weaknesses