Stored Cross-Site Scripting Vulnerability in Elementor Website Builder for WordPress
CVE-2025-14732

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Elementor Website Builder – More Than Just A Page Builder
Vendor: CVE Published:; 8 April 2026

What is CVE-2025-14732?

The Elementor Website Builder plugin for WordPress suffers from a stored cross-site scripting vulnerability due to inadequate input sanitization and output escaping. Authenticated attackers with Contributor-level access or higher can exploit this flaw through various widget parameters. By injecting arbitrary web scripts into pages, attackers enable the scripts to execute in users' browsers when accessing the compromised pages, potentially leading to data theft and other malicious activities.

Affected Version(s)

Elementor Website Builder – more than just a page builder 0 <= 3.35.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/elementor/trun...

https://plugins.trac.wordpress.org/changeset?old_path=/el...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Dec 15, 2025

Credit

andrea bocchetti

CVE-2025-14732 Data

JSON