WP-Safety
CVE-2025-13997

King Addons for Elementor <= 51.1.49 - Unauthenticated API Keys Disclosure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
51.1.51
Patched in
1d
Time to patch

Description

The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions up to, and including, 51.1.49 due to the plugin adding the API keys to the HTML source code via render_full_form function. This makes it possible for unauthenticated attackers to extract site's Mailchimp, Facebook and Google API keys and secrets. This vulnerability requires the Premium license to be installed

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=51.1.49
PublishedMarch 22, 2026
Last updatedMarch 23, 2026
Affected pluginking-addons

What Changed in the Fix

Changes introduced in v51.1.51

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v51.1.49
Browse source Download .zip
Patched v51.1.51
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-13997 - King Addons for Elementor Unauthenticated API Key Disclosure ## 1. Vulnerability Summary The **King Addons for Elementor** plugin (up to version 51.1.49) contains an information disclosure vulnerability where sensitive API keys and secrets (Mailchimp, …

Show full research plan

Exploitation Research Plan: CVE-2025-13997 - King Addons for Elementor Unauthenticated API Key Disclosure

1. Vulnerability Summary

The King Addons for Elementor plugin (up to version 51.1.49) contains an information disclosure vulnerability where sensitive API keys and secrets (Mailchimp, Facebook, Google) are leaked to the public HTML source code. This occurs because the plugin's render_full_form function (likely associated with form-based widgets like Mailchimp or Social Login) outputs these configuration values directly into the frontend markup without checking the visitor's authentication or authorization level. This vulnerability specifically affects sites where the Premium license features are active.

2. Attack Vector Analysis

  • Endpoint: Any public-facing WordPress page or post where a vulnerable King Addons widget (e.g., Mailchimp, Login, or Social Login) is rendered.
  • Vulnerable Function: render_full_form (inferred to be within a Pro/Premium widget class or form helper).
  • Authentication: None (Unauthenticated).
  • Preconditions:
    1. The Premium version of the plugin must be active.
    2. API keys (Mailchimp, Facebook, or Google) must be configured in the plugin settings.
    3. A widget utilizing the render_full_form function must be placed on a public page.

3. Code Flow

  1. Initialization: The plugin loads widgets and extensions via King_Addons\Core::instance().
  2. Request: An unauthenticated visitor requests a page containing an Elementor widget from King Addons.
  3. Rendering: Elementor calls the render() method of the widget.
  4. Vulnerable Call: The widget's render() method invokes render_full_form().
  5. Information Retrieval: Inside render_full_form(), the code retrieves the plugin's global options:
    • $options = get_option('king_addons_options', []);
  6. Disclosure: The function constructs HTML (e.g., hidden inputs or JS config objects) containing keys like mailchimp_api_key, facebook_app_secret, or google_client_secret and echoes them directly to the page buffer.

4. Nonce Acquisition Strategy

This vulnerability does not require a WordPress nonce because it is a passive information disclosure via a GET request to a public page. The disclosure happens during the standard rendering of the page content.

5. Exploitation Strategy

Step 1: Preparation (Simulate Premium and Configure Keys)

The vulnerability requires "Premium" features. We will mock the premium state and populate the king_addons_options with dummy secrets.

Step 2: Identify and Place Vulnerable Widget

The vulnerability description identifies render_full_form as the sink. We will search for this function in the plugin directory to identify the specific widget. Based on the leaked keys (Mailchimp/Facebook), the "Mailchimp" or "Social Login" widgets are the primary suspects.

Step 3: Trigger Disclosure

  1. Create a public page.
  2. Add the identified widget to the page.
  3. Perform an unauthenticated GET request to the page.
  4. Parse the HTML to find the secrets.

6. Test Data Setup

  1. Inject Dummy API Keys:
    wp option update king_addons_options '{"mailchimp_api_key":"MOCK_MAILCHIMP_KEY_12345","facebook_app_secret":"MOCK_FB_SECRET_67890","google_client_secret":"MOCK_GOOGLE_SECRET_ABCDE"}' --format=json
  2. Find the Widget:
    Search for the vulnerable function:
    grep -r "render_full_form" /var/www/html/wp-content/plugins/king-addons/
  3. Create a Target Page:
    Assuming the widget uses a shortcode or can be identified by its PHP class (e.g., Mailchimp), create a page. Since we are in a PoC environment, we will use a shortcode if available, or manually trigger the widget's render.
    • Note: If the specific widget shortcode is unknown, we will look for add_shortcode in the plugin source or use a generic Elementor library template.

7. Expected Results

A successful exploit will return the HTML content of the page where the dummy keys are visible in the source.

Example Expected HTML Snippet:

<div class="king-addons-form-wrapper">
    <input type="hidden" name="mailchimp_api" value="MOCK_MAILCHIMP_KEY_12345">
    <!-- OR -->
    <script>
        var ka_form_config = {"mailchimp_key":"MOCK_MAILCHIMP_KEY_12345", ...};
    </script>
</div>

8. Verification Steps

  1. HTTP Request (Unauthenticated):
    # Use the http_request tool to fetch the public page
# Look for the "MOCK_MAILCHIMP_KEY_12345" string in the response body.
  2. Manual Source Check:
    Navigate to the page using browser_navigate and use browser_eval("document.body.innerHTML") to search for the secrets.

9. Alternative Approaches

If a specific widget cannot be easily placed on a page via CLI:

  1. Direct Function Call: If is_admin() is not checked inside render_full_form, we can use wp eval to call the function and confirm it outputs the keys, though the CVSS requires unauthenticated web access.
  2. Shortcode Bruteforce: King Addons typically uses widget slugs as shortcodes. Try [king_mailchimp], [king_addons_mailchimp], or check the ModulesMap.php for php-class names to infer the widget's identity.
  3. Template Injection: If the plugin allows importing templates (common in Addon packs), import a template that uses the vulnerable widget.
Research Findings
Static analysis — not yet PoC-verified

Summary

The King Addons for Elementor plugin (Premium version) is vulnerable to unauthenticated information disclosure because it renders sensitive API keys and secrets for services like Mailchimp, Facebook, and Google directly into the HTML source code of public pages. This occurs within the 'render_full_form' function used by certain widgets, which fails to restrict the output of configuration settings to authorized users.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/king-addons/51.1.49/includes/admin/layouts/dashboard-v3/dashboard-v3.css /home/deploy/wp-safety.org/data/plugin-versions/king-addons/51.1.51/includes/admin/layouts/dashboard-v3/dashboard-v3.css
--- /home/deploy/wp-safety.org/data/plugin-versions/king-addons/51.1.49/includes/admin/layouts/dashboard-v3/dashboard-v3.css	2026-01-06 16:52:16.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/king-addons/51.1.51/includes/admin/layouts/dashboard-v3/dashboard-v3.css	2026-01-12 18:31:28.000000000 +0000
@@ -674,6 +674,21 @@
     flex-grow: 1;
 }
 
+.ka-v3-card-requirement {
+    margin: 12px 0 0;
+    font-size: 13px;
+    line-height: 1.4;
+    color: #8e8e93;
+    background: linear-gradient(135deg, #2c2c2e 0%, #3a3a3c 100%);
+    padding: 3px 5px;
+    border-radius: 6px;
+}
+
+.ka-v3-card.ka-v3-card-unavailable .ka-v3-toggle {
+    pointer-events: none;
+    opacity: 0.6;
+}
+
 .ka-v3-card-footer {
     margin-top: 20px;
     padding-top: 16px;
@@ -719,7 +734,7 @@
 }
 
 .ka-v3-toggle input {
-    opacity: 0;
+    opacity: 0 !important;
     width: 0;
     height: 0;
 }
... (truncated)

Exploit Outline

An attacker can exploit this vulnerability by identifying a public-facing page on a WordPress site that uses a Premium King Addons widget, such as the Mailchimp signup form or Social Login widget. By making an unauthenticated GET request to the page, the attacker can inspect the HTML source code for sensitive information. The plugin's 'render_full_form' function retrieves the site's global 'king_addons_options' and incorrectly embeds secrets (like Mailchimp API keys, Facebook App Secrets, or Google Client Secrets) directly into the page markup as hidden inputs or JavaScript configuration objects.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/7955b162-ed0f-4455-a429-ed292771c701?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database