What is the CVSS score of EUVD-2025-208931?

EUVD-2025-208931 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of WordPress are affected by EUVD-2025-208931?

Organizations using for WordPress is vulnerable to unauthenticated API key disclosure in all should be aware of moderate risk from CVE-2025-13997, a information exposure vulnerability rated CVSS 5.3.

How to fix or mitigate EUVD-2025-208931?

Within 30 days: Identify affected systems running for WordPress is vulnerable to unauthenticated API key discl and apply vendor patches as part of regular patch cycle. Review data exposure and access controls.

WordPress EUVD-2025-208931

| CVE-2025-13997 MEDIUM

Information Exposure (CWE-200)

2026-03-23 Wordfence

GHSA-gpcr-p7x3-w57f

WordPress Information Disclosure Google Elementor

5.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.3 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 23, 2026 - 06:45 euvd

EUVD-2025-208931

Analysis Generated

Mar 23, 2026 - 06:45 vuln.today

CVE Published

Mar 23, 2026 - 06:41 nvd

MEDIUM 5.3

DescriptionCVE.org

The King Addons for Elementor - 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions up to, and including, 51.1.49 due to the plugin adding the API keys to the HTML source code via render_full_form function. This makes it possible for unauthenticated attackers to extract site's Mailchimp, Facebook and Google API keys and secrets. This vulnerability requires the Premium license to be installed

AnalysisAI

King Addons for Elementor contains an information disclosure vulnerability that exposes sensitive API keys and secrets in HTML source code through the render_full_form function. Unauthenticated attackers can extract Mailchimp, Facebook, and Google API credentials from affected WordPress sites running the plugin up to version 51.1.49 that have the Premium license installed. This vulnerability has a CVSS score of 5.3 with a network attack vector requiring no authentication, making it easily discoverable and exploitable at scale.

Technical ContextAI

The vulnerability exists in the King Addons for Elementor plugin (CPE: cpe:2.3:a:kingaddons:king_addons_for_elementor_–_80+_elementor_widgets,_4_000+_elementor_templates,_woocommerce,_mega_menu,_popup_builder) and is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The root cause is improper handling of sensitive credentials in the render_full_form function, which directly embeds API keys into the HTML DOM accessible to any unauthenticated visitor. The vulnerability specifically affects the Login_Register_Form widget implementation (as evidenced by the referenced source code at plugins.trac.wordpress.org/browser/king-addons/tags/51.1.38/includes/widgets/Login_Register_Form/Login_Register_Form.php#L3065), where third-party authentication tokens are rendered without sanitization or obfuscation. This is a classic client-side information disclosure flaw where secrets meant for server-side usage are leaked to the client tier.

RemediationAI

Update King Addons for Elementor to a patched version beyond 51.1.49 immediately, as this is the primary remediation. Until a patch is available, implement the following mitigations: (1) disable or remove the Login_Register_Form widget if not actively used, (2) rotate all exposed API keys for Mailchimp, Facebook, and Google services from their respective admin consoles, (3) add Web Application Firewall (WAF) rules to prevent automated scraping of HTML source code containing sensitive patterns, and (4) restrict administrative access to the King Addons settings panel to trusted IP addresses only. For sites unable to patch immediately, consider temporarily disabling the Premium features or using a security plugin to obfuscate HTML output. Consult the Wordfence threat intelligence report and WordPress plugin repository for official patch availability and vendor guidance at https://www.wordfence.com/threat-intel/vulnerabilities/id/7955b162-ed0f-4455-a429-ed292771c701 and https://plugins.trac.wordpress.org/browser/king-addons/tags/51.1.38/includes/widgets/Login_Register_Form/Login_Register_Form.php.

More from same product – last 7 days

CVE-2026-8157 HIGH This Week POC

8.8 Jun 22

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u

CVE-2026-8089 HIGH This Week POC

7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH This Week POC

7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-4259 HIGH This Week POC

7.1 Jun 22

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp

CVE-2026-6858 HIGH This Week POC

7.1 Jun 22

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthen

EUVD-2025-208931 vulnerability details – vuln.today

Back

WordPress EUVD-2025-208931

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code