This is the official vulnerability disclosure program for Elementor Website Builder. If you're a security researcher and believe that you have found a security vulnerability within our software, please send us details through the "report" form on this page. Please include as detailed information as possible, so we could verify the issue and get back to you as soon as possible with either additional questions or with a potential fix. All valid security vulnerabilities will receive a CVE and may also earn you rewards from Patchstack Alliance bug bounty program.
Cross Site Scripting (XSS)
Remote/Local File Inclusion
Cross-Site Request Forgery (CSRF)
Broken Access Control
Arbitrary File Read/Download/Upload/Deletion
Sensitive Data Exposure
Arbitrary/Remote Code Execution
Server Side Request Forgery (SSRF)
Denial of Service
PHP Object Injection
Deserialization of untrusted data
Insecure Direct Object References (IDOR)
Cross-Site Request Forgery (CSRF) on read-only actions
Pre-requisite of another vulnerability
Pre-requisite of specific or unusual conditions
Vulnerabilities that requires exotic server configurations or outdated server software
Missing encryption/hashing on potential sensitive information
Spoofing of data (User Agent, IP address, etc.) with no serious security impact
Members of the Patchstack Alliance bug bounty program are ellegible for monthly cash rewards.
Additional bounties can be paid out to Patchstack Alliance members for findings that are beneficial to the community, particularly interesting or hard to find. Please read our full guidelines and terms before reporting.
We would like to thank everyone who submits valid reports that help us improve the security of Elementor Website Builder. However, only those that meet the following eligibility requirements may receive a monetary reward for vulnerabilities found in the Elementor Website Builder source code.
You must be the first reporter of a vulnerability
It must be a real and measurable vulnerability (CVSS 3.1 base score not lower than 2.6 points)
There must be impact on at least one of three CIA parameters (Confidentiality, Integrity, or Availability) via network attack vector
It doesn't require chaining with other vulnerabilities
Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through patchstack.com
Once reported, the vulnerability information should not be shared with other parties until disclosure
Reports are examined by our security analysts - our analysis is always based on worst case exploitation & the business criticality of the vulnerability, as is the reward we pay