CVE-2025-3075
Elementor <= 3.29.0 - Authenticated (Contributor+) Stored Cross-Site ScriptingThe Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'elementor-element' shortcode in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts sites with 'Element Caching' enabled.
We have discovered 960,672 live websites that are affected by CVE-2025-3075.
Affected Software
| Product |  Elementor |
| Category | Landing Page Builders |
| Vulnerable Domains | 960,672 live websites (37% of Elementor install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 286 versions ( 89% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Jul 29, 2025
- Updated - Jul 29, 2025
Credits
- Tonn (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-3075 United States | 222,901 websites |
 Germany | 98,987 websites |
 France | 54,909 websites |
 Italy | 45,420 websites |
 Brazil | 41,577 websites |
 GB | 36,196 websites |
 Spain | 31,998 websites |
 Poland | 29,822 websites |
 Russia | 27,971 websites |
 Netherlands | 25,455 websites |
Website Distribution by TLD
Number of websites using CVE-2025-3075| .com | 376,518 websites |
| .de | 53,688 websites |
| .com.br | 38,899 websites |
| .org | 35,563 websites |
| .it | 32,817 websites |
| .fr | 22,950 websites |
| .nl | 22,892 websites |
| .pl | 22,729 websites |
| .ru | 21,997 websites |
| .net | 20,787 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-3075
Top websites that are affected by CVE-2025-3075. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **************.de | Germany | *** | |
| ************.com | United States | *,*** | |
| ****.net | United States | *,*** | |
| ***********.com | United States | *,*** | |
| ***.***.ca |  Canada | *,*** | |
| ********.com | United States | *,*** | |
| ******.com | United States | *,*** | |
| **********.com | United States | *,*** | |
| *****.com | United States | *,*** | |
| ******.com | United States | *,*** |
FAQ
CVE-2025-3075 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Elementor
A total of 960,672 websites have been identified as vulnerable to CVE-2025-3075, based on global website indexing conducted by WebTechSurvey.
The Elementor is affected by the CVE-2025-3075 vulnerability.
Elementor versions up to and including 3.29 are vulnerable to CVE-2025-3075.