CVE-2025-13997
Received Received - Intake
Unauthenticated API Key Disclosure in King Addons for Elementor

Publication date: 2026-03-23

Last updated on: 2026-03-23

Assigner: Wordfence

Description
The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions up to, and including, 51.1.49 due to the plugin adding the API keys to the HTML source code via render_full_form function. This makes it possible for unauthenticated attackers to extract site's Mailchimp, Facebook and Google API keys and secrets. This vulnerability requires the Premium license to be installed
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13997
EUVD
EUVD-2025-208931
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
king_addons king_addons_for_elementor to 51.1.49 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The King Addons for Elementor WordPress plugin, which provides many ready Elementor sections, templates, and widgets, has a vulnerability in all versions up to and including 51.1.49. This vulnerability allows unauthenticated attackers to obtain API keys and secrets for services like Mailchimp, Facebook, and Google.

The issue arises because the plugin adds these API keys directly into the HTML source code via the render_full_form function, making them accessible without authentication.

This vulnerability requires the Premium license of the plugin to be installed.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive API keys and secrets for Mailchimp, Facebook, and Google associated with your site.

An attacker who obtains these keys could potentially misuse them to access or manipulate your connected services, leading to data leakage, unauthorized actions, or service abuse.

Since the vulnerability is exploitable without authentication, it increases the risk of exposure to attackers who do not have any prior access to your site.

The CVSS base score of 5.3 indicates a medium severity impact, specifically affecting confidentiality but not integrity or availability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by inspecting the HTML source code of the affected WordPress site pages for exposed API keys related to Mailchimp, Facebook, and Google. Since the plugin adds API keys to the HTML source via the render_full_form function, unauthenticated attackers can extract these keys by viewing the page source.

A practical detection method is to use command-line tools to fetch and search the HTML source code for API keys or related keywords.

  • Use curl or wget to retrieve the HTML source of the site pages that use the King Addons for Elementor plugin, for example: curl -s https://example.com/page | grep -i 'api_key'
  • Use grep or similar tools to search for known API key patterns or keywords such as 'Mailchimp', 'Facebook', 'Google', 'api_key', or 'client_id' in the HTML source.
  • Example command: curl -s https://example.com/page | grep -E 'Mailchimp|Facebook|Google|api_key|client_id'
Mitigation Strategies

To mitigate this vulnerability, immediately update the King Addons for Elementor plugin to a version later than 51.1.49 where the issue is fixed.

If an update is not immediately possible, consider disabling or removing the vulnerable plugin to prevent API keys from being exposed.

Additionally, review and rotate any exposed API keys (Mailchimp, Facebook, Google) to prevent unauthorized use.

Limit access to the affected pages or restrict public access until the vulnerability is resolved.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13997. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart