CVE-2025-13535 identifies a medium-severity vulnerability in the King Addons for Elementor plugin for WordPress. This vulnerability allows for multiple Contributor+ DOM-Based Stored Cross-Site Scripting vulnerabilities in all versions up to, and including, 51.1.38. The root cause is insufficient input sanitization and output escaping across multiple widgets and features. The plugin uses esc_attr() and esc_url() within JavaScript inline event handlers (onclick attributes), which allows HTML entities to be decoded by the DOM, enabling attackers to break out of the JavaScript context.
Additionally, several JavaScript files use unsafe DOM manipulation methods (template literals, .html(), and window.location.href with unvalidated URLs) with user-controlled data. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts via Elementor widget settings that execute when a user accesses the injected page or when an administrator previews the page in Elementor's editor. The vulnerability was partially patched in version 5.1.51.
With a CVSS score of 6.4, this vulnerability is categorized as medium severity. Organizations using this plugin should prioritize addressing it in their patch cycle to mitigate the associated risks.
Risk to organizations includes potential unauthorized script execution, leading to data exposure and integrity issues.
Vulnerability Details
The King Addons for Elementor plugin for WordPress is vulnerable to multiple Contributor+ DOM-Based Stored Cross-Site Scripting vulnerabilities. The vulnerabilities are due to insufficient input sanitization and output escaping across multiple widgets and features. The plugin uses esc_attr() and esc_url() within JavaScript inline event handlers, which allows HTML entities to be decoded by the DOM, enabling attackers to break out of the JavaScript context. Several JavaScript files also utilize unsafe DOM manipulation methods with user-controlled data, making it possible for authenticated attackers to inject arbitrary web scripts.
The CVSS score for this vulnerability is 6.4, indicating a medium severity level. The affected versions are all versions prior to 5.1.51, which included a partial patch. The vulnerability is categorized under CWE-79.
Technical Analysis
The root cause of this vulnerability stems from the insufficient input sanitization practices within the King Addons for Elementor plugin. The attack vector is network-based, with low attack complexity, as it requires only low privileges to exploit. User interaction is not required, and the vulnerability can lead to a change in scope, impacting confidentiality and integrity.
The plugin's use of JavaScript inline event handlers and unsafe DOM manipulation methods allows for the execution of scripts injected by authenticated users with Contributor-level access. This can lead to unauthorized data exposure and potential manipulation of user sessions.
Risk & Impact Analysis
The real-world deployment risk associated with this vulnerability is significant. Attackers with Contributor-level access can exploit this vulnerability to execute arbitrary scripts, potentially impacting user sessions and exposing sensitive data. Organizations should evaluate their use of the King Addons for Elementor plugin and prioritize remediation efforts to mitigate this vulnerability.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
All versions of the King Addons for Elementor plugin prior to 5.1.51 are affected by this vulnerability. Organizations should ensure that they upgrade to at least this version to mitigate risks.
Mitigation & Remediation
Organizations should prioritize patching this vulnerability immediately. It is essential to update the King Addons for Elementor plugin to version 5.1.51 or later to address the identified vulnerabilities. In addition, organizations should conduct a thorough review of their input sanitization practices and ensure that user-controlled data is properly validated and sanitized.
For additional guidance, organizations may consider engaging in penetration testing to identify any similar weaknesses across their WordPress installations.
Detection Guidance
Organizations should monitor logs for indicators of exploitation, such as unexpected script execution or unusual changes in widget settings. Behavioral anomalies from authenticated users should also be investigated promptly. Implementing network signatures to detect known patterns of exploitation may assist in early detection.
AppSecure Threat Intelligence Insight
The long-term significance of this vulnerability highlights the ongoing risks associated with insufficient input validation in web applications. This incident underscores the need for rigorous security assessments, particularly for plugins with extensive user input capabilities. Organizations should remain vigilant and consider adopting a comprehensive penetration testing methodology to strengthen their defenses.
This vulnerability exemplifies the importance of securing third-party plugins as they can introduce significant risks if not properly managed. Security teams should focus on enhancing their vulnerability management program to promptly address such issues.
Finally, organizations should leverage the lessons learned from this incident to refine their security posture and enhance their application security strategies.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)