King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder <= 51.1.62 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Description
The King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 51.1.62 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v51.1.63
Source Code
WordPress.org SVNpost_id` and a `reaction`. ```php $reaction = sanitize_text_field($_POST['reaction'] ?? ''); ``` Wait, if `reaction` is saved and then displayed... but it's sanitized. Let's look at `Pricing_Table_Builder.php`. It has an AJAX action `kng_pt_get_tables`. ```php add_action('wp_ajax_kng_pt_ge…
Show full research plan
post_idand areaction`.
$reaction = sanitize_text_field($_POST['reaction'] ?? '');
Wait, if reaction is saved and then displayed... but it's sanitized.
Let's look at Pricing_Table_Builder.php.
It has an AJAX action kng_pt_get_tables.
add_action('wp_ajax_kng_pt_get_tables', [$this, 'ajax_get_tables']);
Does it check permissions?
If a subscriber can call ajax_get_tables, and then... what?
It probably returns a list of pricing tables.
Let's look at the "Dashboard V3" again. dashboard-v3.php.
There is a "Modules" toggle.
$options = get_option('king_addons_options', []);
// ...
foreach ($widgets as $widget_id => $widget) {
if (isset($options[$widget_id]) && $options[$widget_id] === 'enabled') {
Is there an AJAX action to enable/disable modules?
In King Addons, there usually is. It's often handled by a generic "save settings" AJAX action.
Wait, I found it! Look at the description of CVE-2023-48870 (Wait, my task says CVE-2026-48870, which is a future date,
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.