Description
The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions up to, and including, 51.1.49 due to the plugin adding the API keys to the HTML source code via render_full_form function. This makes it possible for unauthenticated attackers to extract site's Mailchimp, Facebook and Google API keys and secrets.
This vulnerability requires the Premium license to be installed
Published: 2026-03-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential disclosure via exposed API keys
Action: Patch
AI Analysis

Impact

The King Addons for Elementor plugin contains a flaw that allows attackers without authentication to read API keys and secrets for Mailchimp, Facebook, and Google that are inserted into webpage source code. This vulnerability is classified as a credential disclosure issue (CWE‑200) and could enable an attacker to abuse those keys for unauthorized actions such as sending spam, extracting sensitive data, or accessing third‑party services linked to the affected site.

Affected Systems

All versions of King Addons for Elementor up to and including 51.1.49 are affected. The flaw only manifests when the Premium license is installed. Normal users of earlier versions or without the premium edition are not impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The attack is likely carried out by an unauthenticated user who fetches page source; no special privileges or pre‑existing conditions are required beyond accessing the site. Given the lack of exploitation evidence, the likelihood of a widespread attack remains uncertain, but the potential impact warrants prompt attention.

Generated by OpenCVE AI on March 23, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade King Addons for Elementor to version 51.1.50 or newer
  • Verify that no Mailchimp, Facebook, or Google API keys appear in page source after the upgrade
  • If an upgrade is not immediately possible, disable or remove the plugin until a fix is released
  • Monitor the site for unexpected activity that could indicate compromise of exposed credentials

Generated by OpenCVE AI on March 23, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Kingaddons
Kingaddons king Addons For Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, Woocommerce, Mega Menu, Popup Builder
Wordpress
Wordpress wordpress
Vendors & Products Kingaddons
Kingaddons king Addons For Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, Woocommerce, Mega Menu, Popup Builder
Wordpress
Wordpress wordpress

Mon, 23 Mar 2026 06:45:00 +0000

Type Values Removed Values Added
Description The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions up to, and including, 51.1.49 due to the plugin adding the API keys to the HTML source code via render_full_form function. This makes it possible for unauthenticated attackers to extract site's Mailchimp, Facebook and Google API keys and secrets. This vulnerability requires the Premium license to be installed
Title King Addons for Elementor <= 51.1.49 - Unauthenticated API Keys Disclosure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Kingaddons King Addons For Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, Woocommerce, Mega Menu, Popup Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:09.847Z

Reserved: 2025-12-03T22:19:22.746Z

Link: CVE-2025-13997

cve-icon Vulnrichment

Updated: 2026-03-23T11:35:41.377Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T07:16:05.003

Modified: 2026-03-23T14:31:37.267

Link: CVE-2025-13997

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:49:35Z

Weaknesses