CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49303 – WordPress Frontend Admin by DynamiApps <= 3.28.7 - Arbitrary File Download Vulnerability
https://notcve.org/view.php?id=CVE-2025-49303
26 Jun 2025 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Shabti Kaplan Frontend Admin by DynamiApps allows Path Traversal. This issue affects Frontend Admin by DynamiApps: from n/a through 3.28.7. The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 3.28.7. This makes it possible for authenticated attackers, with Editor-level access and above, to del... • https://patchstack.com/database/wordpress/plugin/acf-frontend-form-element/vulnerability/wordpress-frontend-admin-by-dynamiapps-3-28-7-arbitrary-file-download-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46257 – WordPress Element Pack Pro Plugin < 8.0.0 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2025-46257
16 May 2025 — Cross-Site Request Forgery (CSRF) vulnerability in BdThemes Element Pack Pro allows Cross Site Request Forgery.This issue affects Element Pack Pro: from n/a before 8.0.0. The Element Pack Pro - Addon for Elementor Page Builder WordPress Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.21.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action gr... • https://patchstack.com/database/wordpress/plugin/bdthemes-element-pack/vulnerability/wordpress-element-pack-pro-plugin-7-18-12-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46258 – WordPress Element Pack Pro Plugin < 8.0.0 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2025-46258
16 May 2025 — Missing Authorization vulnerability in BdThemes Element Pack Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Element Pack Pro: from n/a before 8.0.0. The Element Pack Pro - Addon for Elementor Page Builder WordPress Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 7.21.0. This makes it possible for authenticated attackers, with Subscriber-level access and above... • https://patchstack.com/database/wordpress/plugin/bdthemes-element-pack/vulnerability/wordpress-element-pack-pro-plugin-7-18-12-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47659 – WordPress WPBakery Visual Composer WHMCS Elements <= 1.0.4.1 - Cross Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2025-47659
07 May 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in voidcoders WPBakery Visual Composer WHMCS Elements allows Stored XSS. This issue affects WPBakery Visual Composer WHMCS Elements: from n/a through 1.0.4.1. The WPBakery Visual Composer WHMCS Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated a... • https://patchstack.com/database/wordpress/plugin/void-visual-whmcs-element/vulnerability/wordpress-wpbakery-visual-composer-whmcs-elements-1-0-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27599 – Element X Android vulnerable to loading malicious web pages via received intent
https://notcve.org/view.php?id=CVE-2025-27599
18 Apr 2025 — Element X Android is a Matrix Android Client provided by element.io. Prior to version 25.04.2, a crafted hyperlink on a webpage, or a locally installed malicious app, can force Element X up to version 25.04.1 to load a webpage with similar permissions to Element Call and automatically grant it temporary access to microphone and camera. This issue has been patched in version 25.04.2. Element X Android es un cliente Matrix para Android proporcionado por element.io. Antes de la versión 25.04.2, un hipervínculo... • https://github.com/element-hq/element-x-android/commit/dc058544d7e693c04298191c1aadd5b39c9be52e • CWE-20: Improper Input Validation CWE-926: Improper Export of Android Application Components •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39546 – WordPress ElementsReady Addons for Elementor <= 6.6.2 - Cross Site Request Forgery (CSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2025-39546
16 Apr 2025 — Cross-Site Request Forgery (CSRF) vulnerability in quomodosoft ElementsReady Addons for Elementor allows Cross Site Request Forgery. This issue affects ElementsReady Addons for Elementor: from n/a through 6.6.2. The ElementsReady Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.6.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized act... • https://patchstack.com/database/wordpress/plugin/element-ready-lite/vulnerability/wordpress-elementsready-addons-for-elementor-6-6-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32026 – Element Web could load a malicious instance of Element Call leaking media encryption keys
https://notcve.org/view.php?id=CVE-2025-32026
08 Apr 2025 — Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media encryption keys used for an Element Call call. Version 1.11.97 fixes the problem. • https://github.com/element-hq/element-web/security/advisories/GHSA-69q3-jg79-cg79 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32191 – WordPress News Element Elementor Blog Magazine plugin <= 1.0.7 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-32191
04 Apr 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webangon News Element Elementor Blog Magazine allows DOM-Based XSS. This issue affects News Element Elementor Blog Magazine: from n/a through 1.0.7. The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi... • https://patchstack.com/database/wordpress/plugin/news-element/vulnerability/wordpress-news-element-elementor-blog-magazine-plugin-1-0-7-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32194 – WordPress LA-Studio Element Kit for Elementor plugin <= 1.4.9 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-32194
04 Apr 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LA-Studio LA-Studio Element Kit for Elementor allows Stored XSS. This issue affects LA-Studio Element Kit for Elementor: from n/a through 1.4.9. The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with co... • https://patchstack.com/database/wordpress/plugin/lastudio-element-kit/vulnerability/wordpress-la-studio-element-kit-for-elementor-plugin-1-4-9-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31126 – Element X iOS allows the entity in control of the well-known file to break the confidentiality of embedded Element Call
https://notcve.org/view.php?id=CVE-2025-31126
03 Apr 2025 — Element X iOS is a Matrix iOS Client provided by Element. In Element X iOS version between 1.6.13 and 25.03.7, the entity in control of the element.json well-known file is able, under certain conditions, to get access to the media encryption keys used for an Element Call call. This vulnerability is fixed in 25.03.8. Element X iOS es un cliente Matrix iOS proporcionado por Element. En las versiones de Element X iOS entre la 1.6.13 y la 25.03.7, la entidad que controla el archivo conocido element.json puede, ... • https://github.com/element-hq/element-meta/issues/2441 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •