CVE-2026-15284
Received Received - Intake

Stored XSS in King Addons for Elementor WordPress Plugin

Vulnerability report for CVE-2026-15284, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Wordfence

Description

The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_page_id' parameter in versions up to, and including, 51.1.62 This is due to insufficient input sanitization in the add_to_submissions() function, which applies sanitize_text_field() (which preserves double-quote characters) before storing the value in post meta, combined with missing output escaping in the king_addons_submissions_custom_column_content() function, which concatenates the stored value into an HTML href attribute via admin_url() without wrapping the result in esc_url(). This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
king_addons king_addons_for_elementor to 51.1.62 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The King Addons for Elementor plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 51.1.62. This vulnerability arises because the plugin does not properly sanitize input in the 'form_page_id' parameter. Specifically, the add_to_submissions() function uses sanitize_text_field(), which still allows double-quote characters, before storing the input in post meta. Later, the king_addons_submissions_custom_column_content() function outputs this stored value into an HTML href attribute without proper escaping (esc_url()), allowing an attacker to inject malicious scripts.

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability to inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses the injected page.

Impact Analysis

This vulnerability can allow an attacker with subscriber-level access or above to inject malicious scripts into the website. These scripts can execute in the context of users visiting the affected pages, potentially leading to unauthorized actions such as stealing user credentials, session hijacking, defacement, or spreading malware.

Detection Guidance

This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'form_page_id' parameter in the King Addons for Elementor plugin. Detection involves checking for suspicious or malicious script injections in the stored 'form_page_id' values within the WordPress database, particularly in post meta entries.

You can inspect the WordPress database for unusual or script-containing entries in the post meta table related to King Addons submissions. For example, using a MySQL command to search for suspicious content:

  • mysql -u [user] -p -e "SELECT * FROM wp_postmeta WHERE meta_key LIKE '%form_page_id%' AND meta_value LIKE '%<script>%';"

Additionally, monitoring HTTP requests for unusual parameters or payloads targeting 'form_page_id' can help detect exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability, immediately update the King Addons for Elementor plugin to a version later than 51.1.62 where the issue is fixed.

If an update is not immediately possible, restrict or review user permissions to limit subscriber-level and above users from submitting or modifying data via the vulnerable 'form_page_id' parameter.

Additionally, consider implementing Web Application Firewall (WAF) rules to block or sanitize requests containing suspicious script payloads targeting this parameter.

Finally, audit and clean any stored malicious scripts in the database to prevent execution when pages are accessed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15284. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart