CVE-2025-13997

MEDIUM

King Addons for Elementor <= 51.1.49 - Unauthenticated API Keys Disclosure

Title source: cna

Description

The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions up to, and including, 51.1.49 due to the plugin adding the API keys to the HTML source code via render_full_form function. This makes it possible for unauthenticated attackers to extract site's Mailchimp, Facebook and Google API keys and secrets. This vulnerability requires the Premium license to be installed

References (2)

https://www.wordfence.com/threat-intel/vulnerabilities/id/7955b162-ed0f-4455-a429-ed292771c701?source=cve

https://plugins.trac.wordpress.org/browser/king-addons/tags/51.1.38/includes/widgets/Login_Register_Form/Login_Register_Form.php#L3065

Scores

CVSS v3 5.3

EPSS 0.0004

EPSS Percentile 12.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-200

Status published

Products (1)

kingaddons/King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder < 51.1.49

Published Mar 23, 2026

Tracked Since Mar 23, 2026