EUVD-2025-209162
GHSA-96wm-hfgm-fcxx
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
The King Addons for Elementor plugin for WordPress is vulnerable to multiple Contributor+ DOM-Based Stored Cross-Site Scripting vulnerabilities in all versions up to, and including, 51.1.38. This is due to insufficient input sanitization and output escaping across multiple widgets and features. The plugin uses esc_attr() and esc_url() within JavaScript inline event handlers (onclick attributes), which allows HTML entities to be decoded by the DOM, enabling attackers to break out of the JavaScript context. Additionally, several JavaScript files use unsafe DOM manipulation methods (template literals, .html(), and window.location.href with unvalidated URLs) with user-controlled data. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts via Elementor widget settings that execute when a user accesses the injected page or when an administrator previews the page in Elementor's editor. The vulnerability was partially patched in version 5.1.51.
AnalysisAI
King Addons for Elementor plugin versions up to 51.1.38 contain multiple DOM-Based Stored Cross-Site Scripting vulnerabilities affecting authenticated Contributor+ users. The plugin improperly escapes user input in JavaScript inline event handlers and uses unsafe DOM manipulation methods in widget settings, allowing attackers with Contributor-level access to inject arbitrary JavaScript that executes when pages are accessed or previewed in the Elementor editor. A partial patch was released in version 5.1.51, though the version numbering discrepancy suggests incomplete remediation across all vulnerable code paths.
Technical ContextAI
The vulnerability stems from CWE-79 (Cross-site Scripting) rooted in WordPress plugin architecture where Elementor widget settings lack proper defense-in-depth output encoding. The root cause involves two distinct technical failures: (1) misuse of WordPress escaping functions-specifically esc_attr() and esc_url()-within JavaScript onclick attributes, which allow HTML entities to be decoded by the DOM parser and re-interpreted as JavaScript context-breakers; and (2) unsafe DOM manipulation in JavaScript files using template literals, .html() method calls, and window.location.href assignments that directly consume unvalidated user-controlled data from widget configuration. The Elementor widget framework stores user input in post metadata without proper sanitization, and the rendering layer fails to apply context-aware escaping (JavaScript escaping would be required for event handlers, not HTML entity encoding). Affected JavaScript files including lightgallery.js, Countdown/script.js, and Image_Accordion/script.js demonstrate unsafe patterns, while multiple widgets (Video_Popup, Off_Canvas_Content, Popup, Pricing_Calculator, and the Wrapper_Link feature) embed vulnerable inline event handlers in generated HTML.
RemediationAI
Update King Addons for Elementor to version 5.1.51 or later to address the partial patch released in that version. However, given the description notes the patch was only partial, review the WordPress.org plugin repository and Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/95d3e76c-612d-436c-9d32-6228d7dcbf35?source=cve) for confirmation of complete remediation or additional patch releases. As an immediate mitigation, restrict Contributor-level permissions to trusted users only, and audit existing Elementor pages and widget settings for injected content using the WordPress admin interface. Consider using Web Application Firewall rules to detect and block script injection patterns in POST requests to Elementor widget endpoints (wp-json/elementor/v1/posts/*). Monitor administrator audit logs for unauthorized widget configuration changes, particularly in Video_Popup, Off_Canvas_Content, Popup, Pricing_Calculator, and Wrapper_Link widgets, which are explicitly listed as vulnerable in the referenced code paths.
More from same product – last 7 days
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthen
Share
External POC / Exploit Code
Leaving vuln.today