EUVD-2025-208931
GHSA-gpcr-p7x3-w57f
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3Description
The King Addons for Elementor - 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions up to, and including, 51.1.49 due to the plugin adding the API keys to the HTML source code via render_full_form function. This makes it possible for unauthenticated attackers to extract site's Mailchimp, Facebook and Google API keys and secrets. This vulnerability requires the Premium license to be installed
Analysis
King Addons for Elementor contains an information disclosure vulnerability that exposes sensitive API keys and secrets in HTML source code through the render_full_form function. Unauthenticated attackers can extract Mailchimp, Facebook, and Google API credentials from affected WordPress sites running the plugin up to version 51.1.49 that have the Premium license installed. This vulnerability has a CVSS score of 5.3 with a network attack vector requiring no authentication, making it easily discoverable and exploitable at scale.
Technical Context
The vulnerability exists in the King Addons for Elementor plugin (CPE: cpe:2.3:a:kingaddons:king_addons_for_elementor_–_80+_elementor_widgets,_4_000+_elementor_templates,_woocommerce,_mega_menu,_popup_builder) and is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The root cause is improper handling of sensitive credentials in the render_full_form function, which directly embeds API keys into the HTML DOM accessible to any unauthenticated visitor. The vulnerability specifically affects the Login_Register_Form widget implementation (as evidenced by the referenced source code at plugins.trac.wordpress.org/browser/king-addons/tags/51.1.38/includes/widgets/Login_Register_Form/Login_Register_Form.php#L3065), where third-party authentication tokens are rendered without sanitization or obfuscation. This is a classic client-side information disclosure flaw where secrets meant for server-side usage are leaked to the client tier.
Affected Products
King Addons for Elementor in all versions up to and including 51.1.49 are affected when the Premium license is installed. The plugin is identified by CPE cpe:2.3:a:kingaddons:king_addons_for_elementor_–_80+_elementor_widgets,_4_000+_elementor_templates,_woocommerce,_mega_menu,_popup_builder. The vulnerability specifically impacts WordPress sites using the Login_Register_Form widget component, as documented in the Wordfence vulnerability intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/7955b162-ed0f-4455-a429-ed292771c701.
Remediation
Update King Addons for Elementor to a patched version beyond 51.1.49 immediately, as this is the primary remediation. Until a patch is available, implement the following mitigations: (1) disable or remove the Login_Register_Form widget if not actively used, (2) rotate all exposed API keys for Mailchimp, Facebook, and Google services from their respective admin consoles, (3) add Web Application Firewall (WAF) rules to prevent automated scraping of HTML source code containing sensitive patterns, and (4) restrict administrative access to the King Addons settings panel to trusted IP addresses only. For sites unable to patch immediately, consider temporarily disabling the Premium features or using a security plugin to obfuscate HTML output. Consult the Wordfence threat intelligence report and WordPress plugin repository for official patch availability and vendor guidance at https://www.wordfence.com/threat-intel/vulnerabilities/id/7955b162-ed0f-4455-a429-ed292771c701 and https://plugins.trac.wordpress.org/browser/king-addons/tags/51.1.38/includes/widgets/Login_Register_Form/Login_Register_Form.php.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today