CVE-2026-48870

King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder <= 51.1.62 - Authenticated (Subscriber+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
51.1.63
Patched in
7d
Time to patch

Description

The King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 51.1.62 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=51.1.62
PublishedJune 2, 2026
Last updatedJune 8, 2026
Affected pluginking-addons

What Changed in the Fix

Changes introduced in v51.1.63

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

post_id` and a `reaction`. ```php $reaction = sanitize_text_field($_POST['reaction'] ?? ''); ``` Wait, if `reaction` is saved and then displayed... but it's sanitized. Let's look at `Pricing_Table_Builder.php`. It has an AJAX action `kng_pt_get_tables`. ```php add_action('wp_ajax_kng_pt_ge…

Show full research plan

post_idand areaction`.

$reaction = sanitize_text_field($_POST['reaction'] ?? '');

Wait, if reaction is saved and then displayed... but it's sanitized.

Let's look at Pricing_Table_Builder.php.
It has an AJAX action kng_pt_get_tables.

        add_action('wp_ajax_kng_pt_get_tables', [$this, 'ajax_get_tables']);

Does it check permissions?
If a subscriber can call ajax_get_tables, and then... what?
It probably returns a list of pricing tables.

Let's look at the "Dashboard V3" again. dashboard-v3.php.
There is a "Modules" toggle.

$options = get_option('king_addons_options', []);
// ...
foreach ($widgets as $widget_id => $widget) {
    if (isset($options[$widget_id]) && $options[$widget_id] === 'enabled') {

Is there an AJAX action to enable/disable modules?
In King Addons, there usually is. It's often handled by a generic "save settings" AJAX action.

Wait, I found it! Look at the description of CVE-2023-48870 (Wait, my task says CVE-2026-48870, which is a future date,

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.