WP-Safety

ElementInvader Addons for Elementor Security & Risk Analysis

wordpress.org/plugins/elementinvader-addons-for-elementor

Ready to use Elementor Addon Elements like Menu, Forms, Maps, Newsletter with many styling options

4K active installs v1.4.3 PHP 5.6+ WP 5.2+ Updated Jan 27, 2026
elementorelementor-addonelementor-addonselementor-widget
92
A · Safe
CVEs total15
Unpatched0
Last CVEMar 23, 2026
Plugin page Download
Safety Verdict

Is ElementInvader Addons for Elementor Safe to Use in 2026?

Generally Safe

Score 92/100

ElementInvader Addons for Elementor has a strong security track record. Known vulnerabilities have been patched promptly.

15 known CVEsLast CVE: Mar 23, 2026Updated 2mo ago
Risk Assessment

The "elementinvader-addons-for-elementor" plugin v1.4.3 exhibits a mixed security posture. While the static analysis indicates a relatively small attack surface with no unprotected entry points (AJAX, REST API, shortcodes, cron), and a good rate of output escaping (87%), there are concerning indicators within the code signals and vulnerability history. The presence of SQL queries without prepared statements, external HTTP requests, and only two nonce checks suggest areas where vulnerabilities could be introduced if input is not handled rigorously. The taint analysis revealing two flows with unsanitized paths, even without critical or high severity, is a significant concern pointing to potential injection vulnerabilities.

The plugin's vulnerability history is a major red flag, with a total of 14 known CVEs. The fact that none are currently unpatched is positive, but the historical prevalence of medium and high severity vulnerabilities, including missing authorization, PHP remote file inclusion, authorization bypass, information exposure, and cross-site scripting, indicates a pattern of past security weaknesses. The types of past vulnerabilities strongly suggest that input validation and authorization checks have been insufficient in previous versions. The last recorded vulnerability in February 2026, while in the future, suggests a potential for ongoing research and disclosure related to this plugin.

In conclusion, while v1.4.3 appears to have addressed some immediate risks by implementing authentication checks on entry points and a high percentage of output escaping, the underlying code quality and historical vulnerability patterns warrant caution. The identified taint flows with unsanitized paths and the past security issues necessitate a thorough review and potentially further hardening of the code. Users should be aware of the plugin's history and ensure they are always using the latest available version, while developers should prioritize robust input sanitization and authorization.

Key Concerns

  • SQL queries without prepared statements
  • Taint flows with unsanitized paths
  • External HTTP requests
  • Bundled libraries (DataTables)
  • High historical CVE count
  • Historical high/medium severity vulnerabilities
Vulnerabilities
15

ElementInvader Addons for Elementor Security Vulnerabilities

CVEs by Year

6 CVEs in 2024
2024
7 CVEs in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
14

15 total CVEs

CVE-2026-25007medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ElementInvader Addons for Elementor <= 1.4.2 - Authenticated (Subscriber+) SQL Injection

Mar 23, 2026 Patched in 1.4.3 (4d)
CVE-2026-25028medium · 4.3Missing Authorization

ElementInvader Addons for Elementor <= 1.4.1 - Missing Authorization

Feb 5, 2026 Patched in 1.4.2 (5d)
CVE-2025-10873medium · 5.8Missing Authorization

Elementinvader Addons for Elementor <= 1.4.0 - Unauthenticated Arbitrary Email Sending

Oct 15, 2025 Patched in 1.4.1 (29d)
CVE-2025-58205medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementInvader Addons for Elementor <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Aug 27, 2025 Patched in 1.3.7 (8d)
CVE-2025-48288medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementInvader Addons for Elementor <= 1.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 19, 2025 Patched in 1.3.6 (10d)
CVE-2025-24729medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementInvader Addons for Elementor <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 24, 2025 Patched in 1.3.4 (5d)
CVE-2025-24618medium · 4.3Missing Authorization

ElementInvader Addons for Elementor <= 1.3.1 - Missing Authorization

Jan 24, 2025 Patched in 1.3.2 (5d)
CVE-2025-24578medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementInvader Addons for Elementor <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 24, 2025 Patched in 1.3.1 (5d)
CVE-2025-22786high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

ElementInvader Addons for Elementor <= 1.2.6 - Authenticated (Contributor+) Local File Inclusion

Jan 13, 2025 Patched in 1.2.7 (10d)
CVE-2024-12059medium · 4.3Authorization Bypass Through User-Controlled Key

ElementInvader Addons for Elementor <= 1.3.1 - Missing Authorization to Arbitrary Options Read

Dec 11, 2024 Patched in 1.3.2 (1d)
CVE-2024-9889medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

ElementInvader Addons for Elementor <= 1.2.9 - Authenticated (Contributor+) Information Exposure

Oct 18, 2024 Patched in 1.3.0 (1d)
CVE-2024-9888medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementInvader Addons for Elementor <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Oct 15, 2024 Patched in 1.2.9 (1d)
CVE-2024-47630medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementInvader Addons for Elementor <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 30, 2024 Patched in 1.2.8 (11d)
CVE-2024-38705medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementInvader Addons for Elementor <= 1.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 11, 2024 Patched in 1.2.5 (55d)
CVE-2024-2308medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementInvader Addons for Elementor <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 15, 2024 Patched in 1.2.3 (1d)
Code Analysis
Analyzed Mar 16, 2026

ElementInvader Addons for Elementor Code Analysis

Dangerous Functions
0
Raw SQL Queries
4
1 prepared
Unescaped Output
65
424 escaped
Nonce Checks
2
Capability Checks
3
File Operations
0
External Requests
4
Bundled Libraries
1

Bundled Libraries

DataTables

SQL Query Safety

20% prepared5 total queries

Output Escaping

87% escaped489 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths
valid_recaptcha_curl (modules\forms\ajax-handler.php:624)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

ElementInvader Addons for Elementor Attack Surface

Entry Points6
Unprotected0

AJAX Handlers 2

authwp_ajax_elementinvader_addons_for_elementor_forms_send_formmodules\forms\ajax-handler.php:601
noprivwp_ajax_elementinvader_addons_for_elementor_forms_send_formmodules\forms\ajax-handler.php:602

Shortcodes 4

[eli_option_value] shortcodes\shortcode-eli_option_value.php:16
[eli-newsletter] shortcodes\shortcode-newsletter.php:20
[eli-show_post] shortcodes\shortcode-post_content.php:11
[show_post_content] shortcodes\shortcode-post_content.php:73
WordPress Hooks 18
actioninitelementinvader-addons-for-elementor.php:38
actionplugins_loadedelementinvader-addons-for-elementor.php:117
actionelementor/elements/categories_registeredelementinvader-addons-for-elementor.php:132
actionwp_enqueue_scriptselementinvader-addons-for-elementor.php:167
actionplugins_loadedelementinvader-addons-for-elementor.php:175
actionadmin_noticeselementinvader-addons-for-elementor.php:215
actionadmin_initelementinvader-addons-for-elementor.php:224
actioncustomize_registerelementinvader-addons-for-elementor.php:250
actionadmin_menumodules\mail_base\mail_base.php:2
filteradmin_action_eli_export_email_basemodules\mail_base\mail_base.php:81
filteradmin_action_eli_mails_bulk_removemodules\mail_base\mail_base.php:121
actionadmin_headpages\mail_base\index.php:19
actionelementor/widgets/registerplugin.php:37
actionelementor/frontend/after_register_scriptsplugin.php:39
actionelementor/initplugin.php:142
filternav_menu_link_attributeswidgets\menu.php:1629
filternav_menu_submenu_css_classwidgets\menu.php:1630
filternav_menu_item_idwidgets\menu.php:1631
Maintenance & Trust

ElementInvader Addons for Elementor Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 27, 2026
PHP min version5.6
Downloads107K

Community Trust

Rating100/100
Number of ratings1
Active installs4K
Alternatives

ElementInvader Addons for Elementor Alternatives

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor

elementskit-lite

A
89

Join millions who empower their websites with ElementsKit Elementor Addons. Get templates, & 100+ widgets like header-footer, mega menu, custom widget

2.0M 22 CVEs
Essential Addons for Elementor – Popular Elementor Templates & Widgets

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

B
76

Elementor addon offering 110+ widgets and templates — Elementor Gallery, Slider, Form, Post Grid, Menu, Accordion, WooCommerce & more.

2.0M 56 CVEs
Ultimate Addons for Elementor

Ultimate Addons for Elementor

header-footer-elementor

A
96

Powerful Elementor addon with advanced Elementor widgets, templates, WooCommerce widgets & Header-Footer builder to build professional websites fa &hellip;

2.0M 12 CVEs
Premium Addons for Elementor – Powerful Elementor Templates & Widgets

Premium Addons for Elementor – Powerful Elementor Templates & Widgets

premium-addons-for-elementor

A
95

Elementor Carousel, Mega Menu, Posts List/Slider, Media Gallery, WooCommerce Widgets, Display Conditions, Premade Templates & more.

700K 35 CVEs
Royal Addons for Elementor – Addons and Templates Kit for Elementor

Royal Addons for Elementor – Addons and Templates Kit for Elementor

royal-elementor-addons

C
50

Elementor templates, Header footer builder, Elementor Post Grid, Woocommerce Grid builder, Slider, Forms, Gallery, Nav menu addons, Elementor widgets.

600K 1 unpatched
Developer Profile

ElementInvader Addons for Elementor Developer Profile

Element Invader

6 plugins · 8K total installs

87
trust score
Avg Security Score
90/100
Avg Patch Time
10 days
View full developer profile
Detection Fingerprints

How We Detect ElementInvader Addons for Elementor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/elementinvader-addons-for-elementor/assets/css/main.css/wp-content/plugins/elementinvader-addons-for-elementor/assets/css/widgets.css/wp-content/plugins/elementinvader-addons-for-elementor/assets/css/eli-hover.css/wp-content/plugins/elementinvader-addons-for-elementor/assets/libs/wdkscrollmobileswipe/wdk-scroll-mobile-swipe.css/wp-content/plugins/elementinvader-addons-for-elementor/assets/libs/wdkscrollmobileswipe/wdk-scroll-mobile-swipe.js
Script Paths
/wp-content/plugins/elementinvader-addons-for-elementor/assets/libs/wdkscrollmobileswipe/wdk-scroll-mobile-swipe.js
Version Parameters
/wp-content/plugins/elementinvader-addons-for-elementor/assets/css/widgets.css?ver=1.1

HTML / DOM Fingerprints

CSS Classes
elementinvader
FAQ

Frequently Asked Questions about ElementInvader Addons for Elementor