CVE-2025-13535
DOM-Based Stored XSS in King Addons for Elementor Plugin
Publication date: 2026-04-01
Last updated on: 2026-04-01
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| king_addons | king_addons_for_elementor | to 51.1.38 (inc) |
| king_addons | king_addons_for_elementor | From 5.1.51 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2025-13535 in the King Addons for Elementor plugin allows authenticated users with Contributor-level access or higher to inject arbitrary web scripts via insufficient input sanitization and output escaping. This DOM-Based Stored Cross-Site Scripting (XSS) vulnerability can lead to unauthorized script execution when users or administrators access or preview affected pages.
Such XSS vulnerabilities can compromise the confidentiality and integrity of user data, potentially exposing personal or sensitive information handled by the website. This exposure can impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data against unauthorized access and ensuring secure processing.
Specifically, exploitation of this vulnerability could lead to unauthorized access to user sessions, data theft, or manipulation of content, all of which may violate regulatory requirements for data security and privacy.
Therefore, until patched, the presence of this vulnerability in a website using the affected plugin version could pose risks to compliance with standards that mandate protection against cross-site scripting and related attacks.
Can you explain this vulnerability to me?
CVE-2025-13535 is a security vulnerability in the King Addons for Elementor WordPress plugin, affecting all versions up to and including 51.1.38. It involves multiple Contributor+ DOM-Based Stored Cross-Site Scripting (XSS) issues caused by insufficient input sanitization and output escaping in various widgets and features.
The vulnerability arises because the plugin uses esc_attr() and esc_url() functions within JavaScript inline event handlers (onclick attributes), which allows HTML entities to be decoded by the DOM. This decoding enables attackers to break out of the JavaScript context and inject malicious scripts.
Additionally, several JavaScript files use unsafe DOM manipulation methods such as template literals, .html(), and window.location.href with unvalidated URLs that incorporate user-controlled data. This further facilitates script injection.
Authenticated attackers with Contributor-level access or higher can exploit this vulnerability by injecting arbitrary web scripts via Elementor widget settings. These scripts execute when a user visits the injected page or when an administrator previews the page in Elementor's editor.
The vulnerability was partially patched in version 5.1.51.
How can this vulnerability impact me? :
This vulnerability can have several impacts on affected WordPress sites using the King Addons for Elementor plugin:
- An attacker with Contributor-level access or higher can inject malicious JavaScript code into widget settings.
- Injected scripts execute in the context of users visiting the affected pages or administrators previewing them, potentially leading to session hijacking, credential theft, or unauthorized actions.
- The vulnerability can be used to perform persistent (stored) cross-site scripting attacks, which are more dangerous because the malicious code remains on the site until removed.
- It may allow attackers to manipulate the site's user interface or redirect users to malicious sites.
- Because the vulnerability requires only Contributor-level access, it lowers the barrier for exploitation compared to vulnerabilities requiring higher privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability CVE-2025-13535 affects the King Addons for Elementor WordPress plugin, specifically versions up to and including 51.1.38. It involves multiple Contributor+ DOM-Based Stored Cross-Site Scripting issues due to insufficient input sanitization and unsafe JavaScript DOM manipulations in various widgets such as Video Popup and Countdown.
Detection on your system would involve identifying if the vulnerable plugin version is installed and active. Since the vulnerability requires Contributor-level or higher authenticated access to inject scripts, monitoring for unusual or unauthorized Contributor activity or unexpected script injections in Elementor widget settings is important.
Specific commands to detect this vulnerability are not provided in the available resources. However, general steps include:
- Check the installed version of the King Addons for Elementor plugin to see if it is version 51.1.38 or earlier.
- Search for suspicious or unexpected JavaScript code or HTML entities in Elementor widget settings, especially in Video Popup or Countdown widgets.
- Review user roles and permissions to identify if any Contributor+ users have made recent changes that could have injected malicious scripts.
For example, on a WordPress server, you might run commands like:
- wp plugin list --status=active | grep king-addons
- grep -r --include='*.php' 'king-addons' wp-content/plugins/king-addons-for-elementor/
- Search the database for suspicious content in Elementor widget settings, e.g., using SQL queries to look for script tags or unusual HTML entities in post meta or options tables.
Since the vulnerability involves DOM-based XSS triggered by stored scripts in widget settings, manual or automated inspection of widget configurations and user inputs is necessary.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2025-13535, immediate steps include:
- Update the King Addons for Elementor plugin to version 5.1.51 or later, where the vulnerability has been partially patched.
- Restrict Contributor+ user permissions to trusted users only, as the vulnerability requires authenticated Contributor-level access to exploit.
- Review and sanitize all Elementor widget settings, especially those related to Video Popup and Countdown widgets, to remove any injected malicious scripts or suspicious content.
- Implement additional input validation and output escaping in custom widgets or plugin extensions if applicable.
Additionally, monitor your site for unusual behavior such as unexpected redirects, injected scripts, or unauthorized content changes.