[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjJCU-SVZU_hmNSKV4D2NpgmHst8CA8rq54Uz798287o":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2025-13997","king-addons-for-elementor-unauthenticated-api-keys-disclosure","King Addons for Elementor \u003C= 51.1.49 - Unauthenticated API Keys Disclosure","The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions up to, and including, 51.1.49 due to the plugin adding the API keys to the HTML source code via render_full_form function. This makes it possible for unauthenticated attackers to extract site's Mailchimp, Facebook and Google API keys and secrets.\r\nThis vulnerability requires the Premium license to be installed","king-addons",null,"\u003C=51.1.49","51.1.51","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-03-22 18:29:11","2026-03-23 06:41:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7955b162-ed0f-4455-a429-ed292771c701?source=api-prod",1,[22,23,24,25,26,27,28,29],"includes\u002FAdmin.php","includes\u002FCore.php","includes\u002FModulesMap.php","includes\u002Fadmin\u002Flayouts\u002Fdashboard-v3\u002Fdashboard-v3.css","includes\u002Fadmin\u002Flayouts\u002Fdashboard-v3\u002Fdashboard-v3.php","includes\u002Fadmin\u002Flayouts\u002Fdashboard-v3\u002Fextensions-list.php","includes\u002Fadmin\u002Flayouts\u002Fwoo-builder-page.php","includes\u002Fadmin\u002Fshared\u002Fdark-theme.php","researched",false,3,"# Exploitation Research Plan: CVE-2025-13997 - King Addons for Elementor Unauthenticated API Key Disclosure\n\n## 1. Vulnerability Summary\nThe **King Addons for Elementor** plugin (up to version 51.1.49) contains an information disclosure vulnerability where sensitive API keys and secrets (Mailchimp, Facebook, Google) are leaked to the public HTML source code. This occurs because the plugin's `render_full_form` function (likely associated with form-based widgets like Mailchimp or Social Login) outputs these configuration values directly into the frontend markup without checking the visitor's authentication or authorization level. This vulnerability specifically affects sites where the **Premium license** features are active.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Any public-facing WordPress page or post where a vulnerable King Addons widget (e.g., Mailchimp, Login, or Social Login) is rendered.\n*   **Vulnerable Function:** `render_full_form` (inferred to be within a Pro\u002FPremium widget class or form helper).\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** \n    1.  The Premium version of the plugin must be active.\n    2.  API keys (Mailchimp, Facebook, or Google) must be configured in the plugin settings.\n    3.  A widget utilizing the `render_full_form` function must be placed on a public page.\n\n## 3. Code Flow\n1.  **Initialization:** The plugin loads widgets and extensions via `King_Addons\\Core::instance()`.\n2.  **Request:** An unauthenticated visitor requests a page containing an Elementor widget from King Addons.\n3.  **Rendering:** Elementor calls the `render()` method of the widget.\n4.  **Vulnerable Call:** The widget's `render()` method invokes `render_full_form()`.\n5.  **Information Retrieval:** Inside `render_full_form()`, the code retrieves the plugin's global options:\n    *   `$options = get_option('king_addons_options', []);`\n6.  **Disclosure:** The function constructs HTML (e.g., hidden inputs or JS config objects) containing keys like `mailchimp_api_key`, `facebook_app_secret`, or `google_client_secret` and echoes them directly to the page buffer.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability does **not** require a WordPress nonce because it is a passive information disclosure via a `GET` request to a public page. The disclosure happens during the standard rendering of the page content.\n\n## 5. Exploitation Strategy\n\n### Step 1: Preparation (Simulate Premium and Configure Keys)\nThe vulnerability requires \"Premium\" features. We will mock the premium state and populate the `king_addons_options` with dummy secrets.\n\n### Step 2: Identify and Place Vulnerable Widget\nThe vulnerability description identifies `render_full_form` as the sink. We will search for this function in the plugin directory to identify the specific widget. Based on the leaked keys (Mailchimp\u002FFacebook), the \"Mailchimp\" or \"Social Login\" widgets are the primary suspects.\n\n### Step 3: Trigger Disclosure\n1.  Create a public page.\n2.  Add the identified widget to the page.\n3.  Perform an unauthenticated `GET` request to the page.\n4.  Parse the HTML to find the secrets.\n\n## 6. Test Data Setup\n1.  **Inject Dummy API Keys:**\n    ```bash\n    wp option update king_addons_options '{\"mailchimp_api_key\":\"MOCK_MAILCHIMP_KEY_12345\",\"facebook_app_secret\":\"MOCK_FB_SECRET_67890\",\"google_client_secret\":\"MOCK_GOOGLE_SECRET_ABCDE\"}' --format=json\n    ```\n2.  **Find the Widget:**\n    Search for the vulnerable function:\n    ```bash\n    grep -r \"render_full_form\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fking-addons\u002F\n    ```\n3.  **Create a Target Page:**\n    Assuming the widget uses a shortcode or can be identified by its PHP class (e.g., `Mailchimp`), create a page. Since we are in a PoC environment, we will use a shortcode if available, or manually trigger the widget's render.\n    *   *Note:* If the specific widget shortcode is unknown, we will look for `add_shortcode` in the plugin source or use a generic Elementor library template.\n\n## 7. Expected Results\nA successful exploit will return the HTML content of the page where the dummy keys are visible in the source.\n\n**Example Expected HTML Snippet:**\n```html\n\u003Cdiv class=\"king-addons-form-wrapper\">\n    \u003Cinput type=\"hidden\" name=\"mailchimp_api\" value=\"MOCK_MAILCHIMP_KEY_12345\">\n    \u003C!-- OR -->\n    \u003Cscript>\n        var ka_form_config = {\"mailchimp_key\":\"MOCK_MAILCHIMP_KEY_12345\", ...};\n    \u003C\u002Fscript>\n\u003C\u002Fdiv>\n```\n\n## 8. Verification Steps\n1.  **HTTP Request (Unauthenticated):**\n    ```bash\n    # Use the http_request tool to fetch the public page\n    # Look for the \"MOCK_MAILCHIMP_KEY_12345\" string in the response body.\n    ```\n2.  **Manual Source Check:**\n    Navigate to the page using `browser_navigate` and use `browser_eval(\"document.body.innerHTML\")` to search for the secrets.\n\n## 9. Alternative Approaches\nIf a specific widget cannot be easily placed on a page via CLI:\n1.  **Direct Function Call:** If `is_admin()` is not checked inside `render_full_form`, we can use `wp eval` to call the function and confirm it outputs the keys, though the CVSS requires unauthenticated *web* access.\n2.  **Shortcode Bruteforce:** King Addons typically uses widget slugs as shortcodes. Try `[king_mailchimp]`, `[king_addons_mailchimp]`, or check the `ModulesMap.php` for `php-class` names to infer the widget's identity.\n3.  **Template Injection:** If the plugin allows importing templates (common in Addon packs), import a template that uses the vulnerable widget.","The King Addons for Elementor plugin (Premium version) is vulnerable to unauthenticated information disclosure because it renders sensitive API keys and secrets for services like Mailchimp, Facebook, and Google directly into the HTML source code of public pages. This occurs within the 'render_full_form' function used by certain widgets, which fails to restrict the output of configuration settings to authorized users.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fking-addons\u002F51.1.49\u002Fincludes\u002Fadmin\u002Flayouts\u002Fdashboard-v3\u002Fdashboard-v3.css \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fking-addons\u002F51.1.51\u002Fincludes\u002Fadmin\u002Flayouts\u002Fdashboard-v3\u002Fdashboard-v3.css\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fking-addons\u002F51.1.49\u002Fincludes\u002Fadmin\u002Flayouts\u002Fdashboard-v3\u002Fdashboard-v3.css\t2026-01-06 16:52:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fking-addons\u002F51.1.51\u002Fincludes\u002Fadmin\u002Flayouts\u002Fdashboard-v3\u002Fdashboard-v3.css\t2026-01-12 18:31:28.000000000 +0000\n@@ -674,6 +674,21 @@\n     flex-grow: 1;\n }\n \n+.ka-v3-card-requirement {\n+    margin: 12px 0 0;\n+    font-size: 13px;\n+    line-height: 1.4;\n+    color: #8e8e93;\n+    background: linear-gradient(135deg, #2c2c2e 0%, #3a3a3c 100%);\n+    padding: 3px 5px;\n+    border-radius: 6px;\n+}\n+\n+.ka-v3-card.ka-v3-card-unavailable .ka-v3-toggle {\n+    pointer-events: none;\n+    opacity: 0.6;\n+}\n+\n .ka-v3-card-footer {\n     margin-top: 20px;\n     padding-top: 16px;\n@@ -719,7 +734,7 @@\n }\n \n .ka-v3-toggle input {\n-    opacity: 0;\n+    opacity: 0 !important;\n     width: 0;\n     height: 0;\n }\n... (truncated)","An attacker can exploit this vulnerability by identifying a public-facing page on a WordPress site that uses a Premium King Addons widget, such as the Mailchimp signup form or Social Login widget. By making an unauthenticated GET request to the page, the attacker can inspect the HTML source code for sensitive information. The plugin's 'render_full_form' function retrieves the site's global 'king_addons_options' and incorrectly embeds secrets (like Mailchimp API keys, Facebook App Secrets, or Google Client Secrets) directly into the page markup as hidden inputs or JavaScript configuration objects.","gemini-3-flash-preview","2026-04-18 00:16:02","2026-04-18 00:16:25",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","51.1.49","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fking-addons\u002Ftags\u002F51.1.49","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fking-addons.51.1.49.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fking-addons\u002Ftags\u002F51.1.51","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fking-addons.51.1.51.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fking-addons\u002Ftags"]