CVE-2025-13997
Unauthenticated API Key Disclosure in King Addons for Elementor
Publication date: 2026-03-23
Last updated on: 2026-03-23
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| king_addons | king_addons_for_elementor | to 51.1.49 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The King Addons for Elementor WordPress plugin, which provides many ready Elementor sections, templates, and widgets, has a vulnerability in all versions up to and including 51.1.49. This vulnerability allows unauthenticated attackers to obtain API keys and secrets for services like Mailchimp, Facebook, and Google.
The issue arises because the plugin adds these API keys directly into the HTML source code via the render_full_form function, making them accessible without authentication.
This vulnerability requires the Premium license of the plugin to be installed.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive API keys and secrets for Mailchimp, Facebook, and Google associated with your site.
An attacker who obtains these keys could potentially misuse them to access or manipulate your connected services, leading to data leakage, unauthorized actions, or service abuse.
Since the vulnerability is exploitable without authentication, it increases the risk of exposure to attackers who do not have any prior access to your site.
The CVSS base score of 5.3 indicates a medium severity impact, specifically affecting confidentiality but not integrity or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the HTML source code of the affected WordPress site pages for exposed API keys related to Mailchimp, Facebook, and Google. Since the plugin adds API keys to the HTML source via the render_full_form function, unauthenticated attackers can extract these keys by viewing the page source.
A practical detection method is to use command-line tools to fetch and search the HTML source code for API keys or related keywords.
- Use curl or wget to retrieve the HTML source of the site pages that use the King Addons for Elementor plugin, for example: curl -s https://example.com/page | grep -i 'api_key'
- Use grep or similar tools to search for known API key patterns or keywords such as 'Mailchimp', 'Facebook', 'Google', 'api_key', or 'client_id' in the HTML source.
- Example command: curl -s https://example.com/page | grep -E 'Mailchimp|Facebook|Google|api_key|client_id'
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the King Addons for Elementor plugin to a version later than 51.1.49 where the issue is fixed.
If an update is not immediately possible, consider disabling or removing the vulnerable plugin to prevent API keys from being exposed.
Additionally, review and rotate any exposed API keys (Mailchimp, Facebook, Google) to prevent unauthorized use.
Limit access to the affected pages or restrict public access until the vulnerability is resolved.