Description
The Document Pro Elementor – Documentation & Knowledge Base plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.9. This is due to the plugin exposing sensitive Algolia API keys through the frontend JavaScript code via wp_localize_script without proper access restrictions. This makes it possible for unauthenticated attackers to view sensitive API keys in the page source, which could be leveraged to make unauthorized API calls to the configured Algolia search service.
Published: 2025-11-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Update Plugin
AI Analysis

Impact

The Document Pro Elementor – Documentation & Knowledge Base plugin for WordPress leaks sensitive Algolia API keys through its front‑end JavaScript code, bypassing any access restrictions. An attacker who can view the page source can capture these keys and use them to make unauthorized calls to the configured Algolia search service. This flaw allows unauthenticated disclosure of credentials that could facilitate further manipulation of the search index or data extraction.

Affected Systems

All installations of the Document Pro Elementor – Documentation & Knowledge Base plugin with versions 1.0.9 or earlier are affected. The vulnerability exists in the WordPress plugin listing for ngothoai on Trac, and it is present in the code paths that enqueue scripts from the DPET_Enqueue.php file.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The flaw is not currently listed in the CISA KEV catalog, but because the exposure is through public JavaScript, any user who visits a page that loads the plugin can retrieve the keys. Attackers do not need authenticated access, making the attack vector broad and straightforward—simply accessing a page that includes the plugin’s front‑end assets.

Generated by OpenCVE AI on April 22, 2026 at 12:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Document Pro Elementor plugin to a version newer than 1.0.9, which removes the Algolia API keys from public JavaScript.
  • If an upgrade is not feasible, modify the DPET_Enqueue.php file to stop passing the sensitive keys to wp_localize_script, or alter the logic to expose keys only to authenticated users.
  • Verify that no Algolia API keys appear in any publicly served JavaScript files and monitor the Algolia service logs for unexpected or unauthenticated API usage.

Generated by OpenCVE AI on April 22, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 12 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Ngothoai
Ngothoai document Pro Elementor
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Ngothoai
Ngothoai document Pro Elementor
Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Document Pro Elementor – Documentation & Knowledge Base plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.9. This is due to the plugin exposing sensitive Algolia API keys through the frontend JavaScript code via wp_localize_script without proper access restrictions. This makes it possible for unauthenticated attackers to view sensitive API keys in the page source, which could be leveraged to make unauthorized API calls to the configured Algolia search service.
Title Document Pro Elementor – Documentation & Knowledge Base <= 1.0.9 - Unauthenticated Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Elementor Elementor
Ngothoai Document Pro Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:14.555Z

Reserved: 2025-10-20T20:47:48.546Z

Link: CVE-2025-11997

cve-icon Vulnrichment

Updated: 2025-11-12T16:04:56.740Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T04:15:45.293

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11997

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:30:16Z

Weaknesses