CVE-2025-13535

| EUVD-2025-209162 MEDIUM
2026-04-01 Wordfence GHSA-96wm-hfgm-fcxx
6.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 01, 2026 - 15:00 vuln.today
EUVD ID Assigned
Apr 01, 2026 - 15:00 euvd
EUVD-2025-209162
CVE Published
Apr 01, 2026 - 14:37 nvd
MEDIUM 6.4

Tags

XSS WordPress

Description

The King Addons for Elementor plugin for WordPress is vulnerable to multiple Contributor+ DOM-Based Stored Cross-Site Scripting vulnerabilities in all versions up to, and including, 51.1.38. This is due to insufficient input sanitization and output escaping across multiple widgets and features. The plugin uses esc_attr() and esc_url() within JavaScript inline event handlers (onclick attributes), which allows HTML entities to be decoded by the DOM, enabling attackers to break out of the JavaScript context. Additionally, several JavaScript files use unsafe DOM manipulation methods (template literals, .html(), and window.location.href with unvalidated URLs) with user-controlled data. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts via Elementor widget settings that execute when a user accesses the injected page or when an administrator previews the page in Elementor's editor. The vulnerability was partially patched in version 5.1.51.

Analysis

King Addons for Elementor plugin versions up to 51.1.38 contain multiple DOM-Based Stored Cross-Site Scripting vulnerabilities affecting authenticated Contributor+ users. The plugin improperly escapes user input in JavaScript inline event handlers and uses unsafe DOM manipulation methods in widget settings, allowing attackers with Contributor-level access to inject arbitrary JavaScript that executes when pages are accessed or previewed in the Elementor editor. A partial patch was released in version 5.1.51, though the version numbering discrepancy suggests incomplete remediation across all vulnerable code paths.

Technical Context

The vulnerability stems from CWE-79 (Cross-site Scripting) rooted in WordPress plugin architecture where Elementor widget settings lack proper defense-in-depth output encoding. The root cause involves two distinct technical failures: (1) misuse of WordPress escaping functions-specifically esc_attr() and esc_url()-within JavaScript onclick attributes, which allow HTML entities to be decoded by the DOM parser and re-interpreted as JavaScript context-breakers; and (2) unsafe DOM manipulation in JavaScript files using template literals, .html() method calls, and window.location.href assignments that directly consume unvalidated user-controlled data from widget configuration. The Elementor widget framework stores user input in post metadata without proper sanitization, and the rendering layer fails to apply context-aware escaping (JavaScript escaping would be required for event handlers, not HTML entity encoding). Affected JavaScript files including lightgallery.js, Countdown/script.js, and Image_Accordion/script.js demonstrate unsafe patterns, while multiple widgets (Video_Popup, Off_Canvas_Content, Popup, Pricing_Calculator, and the Wrapper_Link feature) embed vulnerable inline event handlers in generated HTML.

Affected Products

King Addons for Elementor plugin (CPE: cpe:2.3:a:kingaddons:king_addons_for_elementor_-_80+_elementor_widgets,_4_000+_elementor_templates,_woocommerce,_mega_menu,_popup_builder:*:*:*:*:*:*:*:*) is vulnerable in all versions up to and including 51.1.38. The plugin provides 80+ Elementor widgets, 4,000+ templates, WooCommerce integration, mega menu, and popup builder functionality across all affected versions. A partial patch was released in version 5.1.51 per the description, though version number discrepancy (51.1.38 → 5.1.51) suggests either a labeling anomaly or incomplete coverage of all vulnerable code paths. WordPress site owners running King Addons on any version ≤51.1.38 are affected.

Remediation

Update King Addons for Elementor to version 5.1.51 or later to address the partial patch released in that version. However, given the description notes the patch was only partial, review the WordPress.org plugin repository and Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/95d3e76c-612d-436c-9d32-6228d7dcbf35?source=cve) for confirmation of complete remediation or additional patch releases. As an immediate mitigation, restrict Contributor-level permissions to trusted users only, and audit existing Elementor pages and widget settings for injected content using the WordPress admin interface. Consider using Web Application Firewall rules to detect and block script injection patterns in POST requests to Elementor widget endpoints (wp-json/elementor/v1/posts/*). Monitor administrator audit logs for unauthorized widget configuration changes, particularly in Video_Popup, Off_Canvas_Content, Popup, Pricing_Calculator, and Wrapper_Link widgets, which are explicitly listed as vulnerable in the referenced code paths.

Priority Score

32
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +32
POC: 0

Share

CVE-2025-13535 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy