WP-Safety

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor Security & Risk Analysis

wordpress.org/plugins/elementskit-lite

Join millions who empower their websites with ElementsKit Elementor Addons. Get templates, & 100+ widgets like header-footer, mega menu, custom widget

2.0M active installs v3.8.2 PHP 7.4+ WP 6.0+ Updated Mar 15, 2026
elementor-addonelementor-addonselementor-widgetsheader-footer-buildermega-menu-builder
89
A · Safe
CVEs total21
Unpatched0
Last CVEFeb 24, 2026
Plugin page Download
Safety Verdict

Is ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor Safe to Use in 2026?

Generally Safe

Score 89/100

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor has a strong security track record. Known vulnerabilities have been patched promptly.

21 known CVEsLast CVE: Feb 24, 2026Updated 19d ago
Risk Assessment

The ElementsKit Lite plugin v3.8.2 presents a mixed security posture. On the positive side, the plugin demonstrates good practices in SQL query handling, exclusively using prepared statements, and a high percentage of output escaping (93%). It also implements a reasonable number of capability checks and nonce checks, indicating an awareness of common WordPress security mechanisms. However, the presence of unprotected entry points, specifically one AJAX handler and one REST API route, is a significant concern. These unprotected endpoints could be exploited by unauthenticated users to trigger unintended actions or access restricted functionality, potentially leading to various security issues depending on their implementation.

The plugin's vulnerability history is concerning, with a total of 21 known CVEs. While there are currently no unpatched vulnerabilities, the past prevalence of high and medium severity issues, including Cross-site Scripting (XSS), Improper Access Control, and PHP Remote File Inclusion, suggests a recurring pattern of weaknesses. The types of past vulnerabilities point to potential issues with input validation, authorization checks, and the secure handling of file operations. The recentness of the last vulnerability (February 2026) is notable and suggests a need for continued vigilance and prompt patching of any future discoveries.

In conclusion, while ElementsKit Lite has some strengths in code hygiene, the significant attack surface with unprotected endpoints and its extensive history of past vulnerabilities are substantial risks. The unprotected entry points represent immediate potential entry vectors, and the past vulnerability trends indicate a need for thorough auditing and rigorous security development practices to prevent future exploits. Users should remain cautious and ensure they are always on the latest patched version of the plugin.

Key Concerns

  • Unprotected AJAX handler found
  • Unprotected REST API route found
  • 21 total known CVEs
  • 2 high severity CVEs
  • 19 medium severity CVEs
  • Flows with unsanitized paths: 2
  • File operations present
  • External HTTP requests present
Vulnerabilities
21

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2023
2023
13 CVEs in 2024
2024
5 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
2
Medium
19

21 total CVEs

CVE-2026-23693medium · 5.3Missing Authorization

ElementsKit Elementor addons Lite < 3.7.9 - Missing Authorization

Feb 24, 2026 Patched in 3.7.9 (1d)
CVE-2025-3614medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementsKit Elementor Addons and Templates <= 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Widget

Jul 24, 2025 Patched in 3.5.3 (1d)
CVE-2025-4479medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementsKit Lite <= 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Comparison Widget

Jun 18, 2025 Patched in 3.5.3 (1d)
CVE-2024-11180medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementsKit Elementor addons <= 3.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 28, 2025 Patched in 3.4.8 (1d)
CVE-2025-0968medium · 5.3Improper Access Control

ElementsKit Elementor addons <= 3.4.0 - Unauthenticated Information Exposure via get_megamenu_content Function

Feb 18, 2025 Patched in 3.4.1 (1d)
CVE-2025-1005medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementsKit Elementor addons <= 3.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Accordion Widget

Feb 14, 2025 Patched in 3.4.1 (1d)
CVE-2024-10091medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementsKit Elementor addons <= 3.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Comparison Widget

Oct 25, 2024 Patched in 3.3.0 (1d)
CVE-2024-8546medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementsKit Elementor addons <= 3.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Widget

Sep 24, 2024 Patched in 3.2.8 (1d)
CVE-2024-6455medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

ElementsKit Elementor addons <= 3.2.0 - Unauthenticated Information Exposure via ekit_widgetarea_content Function

Jul 18, 2024 Patched in 3.2.1 (21d)
CVE-2024-37255medium · 5.3Missing Authorization

Elements kit Elementor addons <= 3.1.4 - Missing Authorization

Jun 27, 2024 Patched in 3.2.0 (6d)
CVE-2024-3650medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementsKit Elementor addons 3.0.7 - 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Accordion Widget

Apr 30, 2024 Patched in 3.1.3 (3d)
CVE-2024-3499high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

ElementsKit Elementor addons <= 3.1.0 - Authenticated (Contributor+) Local File Inclusion via Onepage Scroll Module

Apr 22, 2024 Patched in 3.1.1 (11d)
CVE-2024-2803medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementsKit Elementor addons <= 3.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget

Apr 3, 2024 Patched in 3.1.0 (1d)
CVE-2024-2047high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

ElementsKit Elementor addons <= 3.0.6 - Authenticated (Contributor+) Local File Inclusion in render_raw

Mar 29, 2024 Patched in 3.0.7 (1d)
CVE-2024-1238medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementsKit Elementor addons <= 3.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 29, 2024 Patched in 3.0.7 (64d)
CVE-2024-1239medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementsKit Elementor addons <= 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 15, 2024 Patched in 3.0.5 (1d)
CVE-2024-2042medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementsKit Elementor addons <= 3.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Accordion Widget

Mar 15, 2024 Patched in 3.0.6 (1d)
CVE-2023-6525medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ElementsKit Elementor addons <= 3.0.3 - Authenticated(Editor+) Stored Cross-Site Scripting

Mar 15, 2024 Patched in 3.0.4 (137d)
CVE-2023-6582medium · 5.3Improper Access Control

ElementsKit Lite <= 3.0.3 - Unauthenticated Sensitive Information Exposure

Jan 8, 2024 Patched in 3.0.4 (204d)
CVE-2023-39993medium · 5.4Missing Authorization

Elements kit Elementor addons <= 2.9.1 - Missing Authorization

Aug 23, 2023 Patched in 2.9.2 (153d)
CVE-2021-24258medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Elements Kit Lite/Pro <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 13, 2021 Patched in 2.2.0 (1015d)
Code Analysis
Analyzed Mar 16, 2026

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
93
1334 escaped
Nonce Checks
4
Capability Checks
11
File Operations
1
External Requests
5
Bundled Libraries
2

Bundled Libraries

Select2DataTables

Output Escaping

93% escaped1427 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths
get_layout_list (modules\layout-manager\layout-list-api.php:12)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor Attack Surface

Entry Points4
Unprotected2

AJAX Handlers 3

authwp_ajax_ekit_widgetarea_contentmodules\controls\widget-area-utils.php:11
noprivwp_ajax_ekit_widgetarea_contentmodules\controls\widget-area-utils.php:12
authwp_ajax_generate_navigation_markupmodules\onepage-scroll\extend-controls.php:29

REST API Routes 1

GET/wp-json/elementskit-lite/mailchimp/widgets\mail-chimp\classes\mail-chimp-rest.php:63
WordPress Hooks 120
actionadmin_enqueue_scriptscompatibility\conflicts\scripts.php:53
actionupgrader_process_completecompatibility\data-migration\settings-db.php:16
actionupdate_option_elementor_disabled_elementscompatibility\element-manager\init.php:9
actionelementskit/widgets/status/updatecompatibility\element-manager\init.php:10
actionupgrader_process_completecompatibility\element-manager\init.php:11
filterelementor/documents/get/post_idcompatibility\wpml\init.php:52
actionwp_print_scriptscore\build-inline-scripts.php:20
actionelementor/widgets/registercore\build-widgets.php:30
actionwp_enqueue_scriptscore\build-widgets.php:60
actionwp_enqueue_scriptscore\build-widgets.php:64
actioninitcore\build-widgets.php:84
actionelementor/editor/before_enqueue_scriptscore\editor-promotion.php:12
actionrest_api_initcore\handler-api.php:19
actionplugins_loadedelementskit-lite.php:282
actionadmin_headelementskit-lite.php:310
actionadmin_headelementskit-lite.php:316
actionelementor/elements/categories_registeredelementskit-lite.php:321
actionelementor/initelementskit-lite.php:326
actionelementor/controls/registermodules\controls\init.php:22
actionelementor/controls/registermodules\controls\init.php:23
actionelementor/controls/registermodules\controls\init.php:24
actionelementor/frontend/after_enqueue_stylesmodules\controls\init.php:27
actionelementor/frontend/after_enqueue_scriptsmodules\controls\init.php:28
actionelementor/editor/after_enqueue_stylesmodules\controls\widget-area-utils.php:9
actionwp_enqueue_scriptsmodules\elementskit-icon-pack\icons.php:9
filterelementor/icons_manager/additional_tabsmodules\elementskit-icon-pack\icons.php:11
actionadmin_enqueue_scriptsmodules\elementskit-icon-pack\init.php:16
actionelementor/frontend/before_enqueue_scriptsmodules\elementskit-icon-pack\init.php:19
actionelementor/preview/enqueue_stylesmodules\elementskit-icon-pack\init.php:22
filterelementor/icons_manager/additional_tabsmodules\elementskit-icon-pack\init.php:23
filterelementor/widget/render_contentmodules\elementskit-icon-pack\init.php:24
actionwpmodules\header-footer\activator.php:19
actionadmin_initmodules\header-footer\cpt-hooks.php:11
filtermanage_elementskit_template_posts_columnsmodules\header-footer\cpt-hooks.php:12
actionmanage_elementskit_template_posts_custom_columnmodules\header-footer\cpt-hooks.php:13
filterparse_querymodules\header-footer\cpt-hooks.php:14
actionadmin_menumodules\header-footer\cpt.php:11
filtersingle_templatemodules\header-footer\cpt.php:12
actionadmin_enqueue_scriptsmodules\header-footer\init.php:21
actionadmin_enqueue_scriptsmodules\header-footer\init.php:22
actionadmin_footermodules\header-footer\init.php:27
actiontemplate_redirectmodules\header-footer\theme-hooks\astra.php:33
actionastra_headermodules\header-footer\theme-hooks\astra.php:34
actiontemplate_redirectmodules\header-footer\theme-hooks\astra.php:38
actionastra_footermodules\header-footer\theme-hooks\astra.php:39
filterfl_header_enabledmodules\header-footer\theme-hooks\bbtheme.php:33
actionfl_before_headermodules\header-footer\theme-hooks\bbtheme.php:34
filterfl_footer_enabledmodules\header-footer\theme-hooks\bbtheme.php:38
actionfl_after_contentmodules\header-footer\theme-hooks\bbtheme.php:39
actiontemplate_redirectmodules\header-footer\theme-hooks\generatepress.php:33
actiongenerate_headermodules\header-footer\theme-hooks\generatepress.php:34
actiontemplate_redirectmodules\header-footer\theme-hooks\generatepress.php:38
actiongenerate_footermodules\header-footer\theme-hooks\generatepress.php:39
actiontemplate_redirectmodules\header-footer\theme-hooks\genesis.php:33
actionocean_headermodules\header-footer\theme-hooks\genesis.php:34
actiongenesis_headermodules\header-footer\theme-hooks\genesis.php:35
actiongenesis_headermodules\header-footer\theme-hooks\genesis.php:36
actiontemplate_redirectmodules\header-footer\theme-hooks\genesis.php:39
actiongenesis_footermodules\header-footer\theme-hooks\genesis.php:40
actiongenesis_footermodules\header-footer\theme-hooks\genesis.php:41
actionocean_footermodules\header-footer\theme-hooks\genesis.php:42
actiontemplate_redirectmodules\header-footer\theme-hooks\neve.php:33
actionneve_do_headermodules\header-footer\theme-hooks\neve.php:34
actiontemplate_redirectmodules\header-footer\theme-hooks\neve.php:38
actionneve_do_footermodules\header-footer\theme-hooks\neve.php:39
actiontemplate_redirectmodules\header-footer\theme-hooks\oceanwp.php:33
actionocean_headermodules\header-footer\theme-hooks\oceanwp.php:34
actiontemplate_redirectmodules\header-footer\theme-hooks\oceanwp.php:38
actionocean_footermodules\header-footer\theme-hooks\oceanwp.php:39
actionget_headermodules\header-footer\theme-hooks\theme-support.php:17
actionget_footermodules\header-footer\theme-hooks\theme-support.php:20
actionget_headermodules\header-footer\theme-hooks\twenty-nineteen.php:17
actionget_footermodules\header-footer\theme-hooks\twenty-nineteen.php:20
actionelementskit/template/after_headermodules\header-footer\theme-hooks\twenty-nineteen.php:25
actionelementskit/template/after_footermodules\header-footer\theme-hooks\twenty-nineteen.php:51
actionelementor/editor/footermodules\layout-manager\init.php:19
actionelementor/editor/before_enqueue_scriptsmodules\layout-manager\init.php:22
actionelementor/editor/after_enqueue_stylesmodules\layout-manager\init.php:25
actionelementor/preview/enqueue_stylesmodules\layout-manager\init.php:28
actionelementor/ajax/register_actionsmodules\layout-manager\layout-import-api.php:10
actionadmin_enqueue_scriptsmodules\megamenu\init.php:26
actionadmin_enqueue_scriptsmodules\megamenu\init.php:27
actionadmin_footermodules\megamenu\options.php:21
actionadmin_footermodules\megamenu\options.php:22
actionadmin_headmodules\megamenu\options.php:23
actionelementor/element/wp-page/ekit_page_settings/before_section_endmodules\onepage-scroll\extend-controls-pro.php:12
actionelementor/element/section/ekit_onepagescroll_section/before_section_endmodules\onepage-scroll\extend-controls-pro.php:17
actionelementor/element/container/ekit_onepagescroll_section/before_section_endmodules\onepage-scroll\extend-controls-pro.php:22
actionelementor/documents/register_controlsmodules\onepage-scroll\extend-controls.php:13
actionelementor/element/section/section_advanced/after_section_endmodules\onepage-scroll\extend-controls.php:18
actionelementor/element/container/section_layout/after_section_endmodules\onepage-scroll\extend-controls.php:23
actionwp_footermodules\onepage-scroll\extend-controls.php:28
actionelementor/element/wp-page/ekit_page_settings/before_section_endmodules\onepage-scroll\extend-controls.php:35
actionelementor/element/section/ekit_onepagescroll_section/before_section_endmodules\onepage-scroll\extend-controls.php:36
actionelementor/frontend/after_enqueue_stylesmodules\onepage-scroll\init.php:19
actionelementor/frontend/before_enqueue_scriptsmodules\onepage-scroll\init.php:20
actionelementor/frontend/before_enqueue_scriptsmodules\onepage-scroll\init.php:21
actionadmin_menumodules\widget-builder\cpt.php:11
actionadmin_enqueue_scriptsmodules\widget-builder\init.php:24
actionadd_meta_boxesmodules\widget-builder\init.php:25
actionelementor/widgets/registermodules\widget-builder\init.php:27
actionelementor/editor/before_enqueue_scriptsmodules\widget-builder\init.php:28
actionelementor/frontend/after_enqueue_stylesmodules\widget-builder\init.php:29
actionadmin_initmodules\widget-builder\init.php:31
actioninitmodules\widget-builder\live-action.php:24
actionadmin_enqueue_scriptsplugin.php:45
actionwp_headplugin.php:62
actionelementor/widgets/registerplugin.php:65
actionelementor/editor/initplugin.php:80
actionelementor/frontend/after_register_scriptswidgets\init\enqueue-scripts.php:10
actionelementor/frontend/after_enqueue_scriptswidgets\init\enqueue-scripts.php:11
actionelementor/frontend/after_register_styleswidgets\init\enqueue-scripts.php:13
actionwp_enqueue_scriptswidgets\init\enqueue-scripts.php:14
actionelementor/preview/enqueue_styleswidgets\init\enqueue-scripts.php:16
actionelementor/editor/after_enqueue_styleswidgets\init\enqueue-scripts.php:17
filterupload_mimeswidgets\lottie\json-handler.php:23
filterwp_handle_upload_prefilterwidgets\lottie\json-handler.php:24
filterwp_check_filetype_and_extwidgets\lottie\json-handler.php:25
actionrest_api_initwidgets\mail-chimp\classes\mail-chimp-rest.php:62
actionwp_headwidgets\post-list\post-list-handler.php:9
Maintenance & Trust

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedMar 15, 2026
PHP min version7.4
Downloads46.2M

Community Trust

Rating98/100
Number of ratings1,990
Active installs2.0M
Alternatives

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor Alternatives

Ultimate Addons for Elementor

Ultimate Addons for Elementor

header-footer-elementor

A
96

Powerful Elementor addon with advanced Elementor widgets, templates, WooCommerce widgets & Header-Footer builder to build professional websites fa &hellip;

2.0M 12 CVEs
Royal Addons for Elementor – Addons and Templates Kit for Elementor

Royal Addons for Elementor – Addons and Templates Kit for Elementor

royal-elementor-addons

C
50

Elementor templates, Header footer builder, Elementor Post Grid, Woocommerce Grid builder, Slider, Forms, Gallery, Nav menu addons, Elementor widgets.

600K 1 unpatched
LA-Studio Element Kit for Elementor

LA-Studio Element Kit for Elementor

lastudio-element-kit

B
83

The advanced addons for Elementor

10K 18 CVEs
Spexo Addons for Elementor – Elementor Widgets, WooCommerce Builder, Mega Menu and Starter Templates for Elementor

Spexo Addons for Elementor – Elementor Widgets, WooCommerce Builder, Mega Menu and Starter Templates for Elementor

sastra-essential-addons-for-elementor

A
97

Advanced Elementor addons plugin with widgets, WooCommerce builders, mega menu, template kits and extensions for faster WordPress website design.

4K 3 CVEs
Turbo Addons Elementor

Turbo Addons Elementor

turbo-addons-elementor

A
99

Turbo Addons for Elementor offers advanced widgets to enhance Elementor, helping you create professional, interactive websites easily and quickly.

1K 1 CVE
Developer Profile

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor Developer Profile

Roxnor

15 plugins · 3.0M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
118 days
View full developer profile
Detection Fingerprints

How We Detect ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor