Cross-Site Scripting Vulnerability in Elementor Website Builder
CVE-2026-32352

6.5MEDIUM

Key Information:

Vendor

WordPress
Status
Elementor Website Builder
Vendor
CVE Published:
13 March 2026

What is CVE-2026-32352?

A vulnerability in the Elementor Website Builder allows for improper neutralization of input during web page generation, resulting in a DOM-Based Cross-Site Scripting (XSS) issue. This flaw affects versions up to 3.35.5 of the Elementor plugin, posing a risk to users by potentially allowing attackers to inject malicious scripts into web pages. Such attacks can lead to unauthorized actions, data theft, and compromised user information if not addressed promptly.

Affected Version(s)

Elementor Website Builder 0 <= 3.35.5

References

https://patchstack.com/database/Wordpress/Plugin/elemento...
vdb-entry

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

ickogz | Patchstack Bug Bounty Program
.