CVE-2025-13535

Name of the Vulnerable Software and Affected Versions King Addons for Elementor plugin for WordPress versions up to and including 51.1.38

Description The King Addons for Elementor plugin for WordPress is susceptible to multiple Contributor+ DOM-Based Stored Cross-Site Scripting issues. This is a result of inadequate input sanitization and output escaping across various widgets and features. The plugin utilizes esc attr() and esc url() within JavaScript inline event handlers (onclick attributes), which allows HTML entities to be decoded by the DOM, enabling attackers to break out of the JavaScript context. Several JavaScript files employ unsafe DOM manipulation methods (template literals, .html(), and window.location.href with unvalidated URLs) with user-controlled data. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts through Elementor widget settings. These scripts execute when a user accesses the injected page or when an administrator previews the page in Elementor's editor.

Recommendations Versions up to and including 51.1.38 should be updated to version 5.1.51 or later.