Elementor Website Builder – more than just a page builder

elementor · by elemntor · wordpress.org ↗ · SVN ↗

Active installs: 10M+
Current version: 4.0.6
Added: 2016-05-30
Last updated: 2026-05-04 (18d ago)
First seen by beacon: 1mo ago
Total downloads: 826,672,167

Alerts (0)

No open alerts.

Show 2 resolved alerts

Medium code_scan_match Resolved · fp:overgeneric_ioc 2026-05-02 22:46:46 (19d ago)

Slug elementor

Finding count 11

Findings

Pattern	Kind	File	Line	Snippet	Confidence
`base64_decode`	`builtin`	`core/dynamic-tags/manager.php`	467	`$tag_name = base64_decode( $tag_key_parts[0] );`	`medium`
`base64_decode`	`builtin`	`core/dynamic-tags/manager.php`	469	$tag_settings = json_decode( urldecode( base64_decode( $tag_key_parts[1] ) ), true );	`medium`
`base64_decode`	`builtin`	`core/common/modules/connect/apps/library.php`	119	`$payload_json = base64_decode( strtr( $payload_encoded, '-_', '+/' ), true );`	`medium`
`base64_decode`	`builtin`	`core/files/uploads-manager.php`	604	`$file_content = base64_decode( $file['fileData'] ); // phpcs:ignore`	`medium`
`base64_decode`	`builtin`	`includes/template-library/manager.php`	924	$raw_binary = base64_decode( substr( $data['screenshot'], strlen( 'data:image/png;base64,' ) ) );	`medium`
`base64_decode`	`builtin`	`includes/utils.php`	967	`return base64_decode( $encoded_string, true ) ?? $fallback;`	`medium`
`base64_decode`	`builtin`	`modules/element-cache/module.php`	60	`$widget_data = json_decode( base64_decode( $atts['data'] ), true );`	`medium`
`base64_decode`	`builtin`	`modules/cloud-kit-library/module.php`	80	$raw_screen_shot = base64_decode( substr( $settings['screenShotBlob'], strlen( 'data:image/png;base64,' ) ) );	`medium`
`base64_decode`	`builtin`	`modules/ai/connect/ai.php`	622	`$img_content = base64_decode( $img_content );`	`medium`
`eval_call`	`builtin`	`vendor_prefixed/twig/twig/twig/src/Environment.php`	350	`eval('?>' . $content);`	`medium`
`Upgrade`	`ioc:changelog_phrase`	`readme.txt`	243	> “I upgraded to the Pro version and just love this plugin!” – ★★★★★ [Andybarn56](https://wordpress.org/support/topic/love-elementor-17/)	`low`

Triage note 2026 05 03 elementor: base64_decode in legitimate uses (data URL parsing, dynamic-tag manager, screenshot upload) + eval in vendored Twig template engine.

View raw JSON

{
    "slug": "elementor",
    "finding_count": 11,
    "findings": [
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "core/dynamic-tags/manager.php",
            "line": 467,
            "snippet": "$tag_name = base64_decode( $tag_key_parts[0] );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "core/dynamic-tags/manager.php",
            "line": 469,
            "snippet": "$tag_settings = json_decode( urldecode( base64_decode( $tag_key_parts[1] ) ), true );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "core/common/modules/connect/apps/library.php",
            "line": 119,
            "snippet": "$payload_json = base64_decode( strtr( $payload_encoded, '-_', '+/' ), true );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "core/files/uploads-manager.php",
            "line": 604,
            "snippet": "$file_content = base64_decode( $file['fileData'] ); // phpcs:ignore",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "includes/template-library/manager.php",
            "line": 924,
            "snippet": "$raw_binary = base64_decode( substr( $data['screenshot'], strlen( 'data:image/png;base64,' ) ) );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "includes/utils.php",
            "line": 967,
            "snippet": "return base64_decode( $encoded_string, true ) ?? $fallback;",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "modules/element-cache/module.php",
            "line": 60,
            "snippet": "$widget_data = json_decode( base64_decode( $atts['data'] ), true );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "modules/cloud-kit-library/module.php",
            "line": 80,
            "snippet": "$raw_screen_shot = base64_decode( substr( $settings['screenShotBlob'], strlen( 'data:image/png;base64,' ) ) );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "modules/ai/connect/ai.php",
            "line": 622,
            "snippet": "$img_content = base64_decode( $img_content );",
            "confidence": "medium"
        },
        {
            "pattern": "eval_call",
            "kind": "builtin",
            "file": "vendor_prefixed/twig/twig/twig/src/Environment.php",
            "line": 350,
            "snippet": "eval('?>' . $content);",
            "confidence": "medium"
        },
        {
            "pattern": "Upgrade",
            "kind": "ioc:changelog_phrase",
            "file": "readme.txt",
            "line": 243,
            "snippet": "> \u201cI upgraded to the Pro version and just love this plugin!\u201d \u2013 \u2605\u2605\u2605\u2605\u2605 *[Andybarn56](https://wordpress.org/support/topic/love-elementor-17/)*",
            "confidence": "low"
        }
    ],
    "triage_note_2026_05_03": "elementor: base64_decode in legitimate uses (data URL parsing, dynamic-tag manager, screenshot upload) + eval in vendored Twig template engine."
}

High compromised_committer_burst Resolved · benign_release_burst 2026-04-27 03:34:29 (25d ago)

Slug	elementor
Author slug	kingyes
Burst start	2026-04-13 15:21:03
Burst end	2026-04-13 15:48:38
Burst commits	6
Burst window minutes	90
Tenure days	343
Distinct messages	6
Avg message length	16
Top message	`Upload v4.0.0-beta5`
Top message count	1
Prt revert	—
Explanation	Established author committed 6 revisions inside a 90-minute window with low-entropy commit messages. Pattern matches the June 2024 wp.org credential-stuffing wave shape; bumped to critical when followed by a wp.org Plugin Review Team revert within 7 days.

View raw JSON

{
    "slug": "elementor",
    "author_slug": "kingyes",
    "burst_start": "2026-04-13 15:21:03",
    "burst_end": "2026-04-13 15:48:38",
    "burst_commits": 6,
    "burst_window_minutes": 90,
    "tenure_days": 343,
    "distinct_messages": 6,
    "avg_message_length": 16.2,
    "top_message": "Upload v4.0.0-beta5",
    "top_message_count": 1,
    "prt_revert": null,
    "explanation": "Established author committed 6 revisions inside a 90-minute window with low-entropy commit messages. Pattern matches the June 2024 wp.org credential-stuffing wave shape; bumped to critical when followed by a wp.org Plugin Review Team revert within 7 days."
}

SVN committers (3)

Accounts with actual commit access to elementor on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer	Member since	Commits	First commit	Latest commit
bluefuton	2019-01-09	9	2026-04-09 · r3502102	2026-04-21 · r3511356
Yakir Sitbon	2011-02-17	2	2024-01-24 · r3026235	2026-05-04 · r3522246
Christopher Finke	2007-06-19	1	2026-04-09 · r3502846	2026-04-09 · r3502846

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor	Member since	SVN access	Status
Elementor	2018-05-10	—	Active

Versions (100 most recent)

Version	Released	Download
4.0.6	2026-05-04 · 18d ago	—
4.0.5	2026-04-30 · 22d ago	—
4.0.4	2026-04-28 · 24d ago	—
4.0.3	2026-04-20 · 1mo ago	zip
4.0.2	2026-04-13 · 1mo ago	zip
4.0.0-dev5	2026-04-13 · 1mo ago	zip
4.0.0-beta5	2026-04-13 · 1mo ago	zip
4.0.1	2026-04-01 · 1mo ago	zip
4.0.0	2026-03-30 · 1mo ago	zip
3.35.9	2026-03-25 · 1mo ago	zip
4.0.0-dev4	2026-03-25 · 1mo ago	zip
4.0.0-beta4	2026-03-25 · 1mo ago	zip
4.0.0-dev3	2026-03-25 · 1mo ago	zip
4.0.0-beta3	2026-03-25 · 1mo ago	zip
3.35.8	2026-03-23 · 2mo ago	zip
4.0.0-dev2	2026-03-23 · 2mo ago	zip
4.0.0-beta2	2026-03-23 · 2mo ago	zip
4.0.0-dev1	2026-03-16 · 2mo ago	zip
4.0.0-beta1	2026-03-16 · 2mo ago	zip
3.35.7	2026-03-11 · 2mo ago	zip
3.35.6	2026-03-03 · 2mo ago	zip
3.35.5	2026-02-17 · 3mo ago	zip
3.35.4	2026-02-11 · 3mo ago	zip
3.35.3	2026-02-05 · 3mo ago	zip
3.35.2	2026-02-05 · 3mo ago	zip
3.35.1	2026-02-04 · 3mo ago	zip
3.35.0	2026-02-02 · 3mo ago	zip
3.34.4	2026-01-29 · 3mo ago	zip
3.35.0-dev4	2026-01-29 · 3mo ago	zip
3.35.0-beta4	2026-01-29 · 3mo ago	zip
3.35.0-dev3	2026-01-28 · 3mo ago	zip
3.35.0-beta3	2026-01-28 · 3mo ago	zip
3.34.3	2026-01-26 · 3mo ago	zip
3.35.0-dev2	2026-01-26 · 3mo ago	zip
3.35.0-beta2	2026-01-26 · 3mo ago	zip
3.35.0-dev1	2026-01-21 · 4mo ago	zip
3.35.0-beta1	2026-01-21 · 4mo ago	zip
3.34.2	2026-01-20 · 4mo ago	zip
3.34.1	2026-01-07 · 4mo ago	zip
3.34.0	2025-12-22 · 5mo ago	zip
3.33.6	2025-12-18 · 5mo ago	zip
3.34.0-beta3	2025-12-18 · 5mo ago	zip
3.33.5	2025-12-18 · 5mo ago	zip
3.34.0-dev2	2025-12-15 · 5mo ago	zip
3.34.0-beta2	2025-12-15 · 5mo ago	zip
3.33.4	2025-12-08 · 5mo ago	zip
3.34.0-dev1	2025-12-08 · 5mo ago	zip
3.34.0-beta1	2025-12-08 · 5mo ago	zip
3.33.3	2025-12-04 · 5mo ago	zip
3.33.2	2025-11-23 · 6mo ago	zip
3.33.1	2025-11-17 · 6mo ago	zip
5.6	2025-11-12 · 6mo ago	—
3.33.0	2025-11-10 · 6mo ago	zip
3.33.0-dev4	2025-10-29 · 6mo ago	zip
3.33.0-beta4	2025-10-29 · 6mo ago	zip
3.33.0-dev3	2025-10-27 · 6mo ago	zip
3.33.0-beta3	2025-10-27 · 6mo ago	zip
3.32.5	2025-10-21 · 7mo ago	zip
3.33.0-dev2	2025-10-21 · 7mo ago	zip
3.33.0-beta2	2025-10-21 · 7mo ago	zip
3.33.0-dev1	2025-10-21 · 7mo ago	zip
3.33.0-beta1	2025-10-21 · 7mo ago	zip
3.32.4	2025-10-05 · 7mo ago	zip
3.32.3	2025-09-29 · 7mo ago	zip
3.32.2	2025-09-18 · 8mo ago	zip
3.32.1	2025-09-16 · 8mo ago	zip
3.32.0	2025-09-15 · 8mo ago	zip
3.31.5	2025-09-09 · 8mo ago	zip
3.31.4	2025-09-08 · 8mo ago	zip
3.32.0-dev3	2025-09-08 · 8mo ago	zip
3.32.0-beta3	2025-09-08 · 8mo ago	zip
3.32.0-dev2	2025-09-03 · 8mo ago	zip
3.32.0-beta2	2025-09-03 · 8mo ago	zip
3.32.0-dev1	2025-09-03 · 8mo ago	zip
3.32.0-beta1	2025-09-03 · 8mo ago	zip
3.31.3	2025-08-27 · 8mo ago	zip
3.31.2	2025-08-11 · 9mo ago	zip
3.31.1	2025-08-06 · 9mo ago	zip
3.31.0	2025-08-05 · 9mo ago	zip
3.30.4	2025-07-30 · 9mo ago	zip
3.31.0-dev2	2025-07-30 · 9mo ago	zip
3.31.0-beta2	2025-07-30 · 9mo ago	zip
3.30.3	2025-07-22 · 10mo ago	zip
3.31.0-dev1	2025-07-22 · 10mo ago	zip
3.31.0-beta1	2025-07-22 · 10mo ago	zip
5.5	2025-07-15 · 10mo ago	—
3.30.2	2025-07-09 · 10mo ago	zip
3.30.1	2025-07-07 · 10mo ago	zip
3.30.0	2025-07-01 · 10mo ago	zip
3.30.0-dev3	2025-06-26 · 11mo ago	zip
3.30.0-beta3	2025-06-26 · 11mo ago	zip
3.30.0-dev2	2025-06-11 · 11mo ago	zip
3.30.0-beta2	2025-06-11 · 11mo ago	zip
3.30.0-dev1	2025-06-10 · 11mo ago	zip
3.30.0-beta1	2025-06-10 · 11mo ago	zip
3.29.2	2025-06-04 · 11mo ago	zip
3.29.1	2025-05-28 · 11mo ago	zip
3.29.0	2025-05-19 · 1y ago	zip
3.29.0-dev4	2025-05-15 · 1y ago	zip
3.29.0-beta4	2025-05-15 · 1y ago	zip