The plugin allows full control over widget configurations. In versions up to and including 51.1.39 the widget attributes are taken from user input without proper sanitization or output escaping, permitting an authenticated contributor or higher to embed arbitrary JavaScript directly into the widget markup. When a visitor loads a page that contains the modified widget, the injected script executes in that visitor's browser, exposing the site to flash‑pharming, cookie theft, or malicious redirection. This vulnerability corresponds to CWE‑79 and delivers the attacker control over client‑side code while bypassing the site's content security mechanisms, thereby compromising confidentiality, integrity, and availability of the web interface for end users.

All releases of the King Addons for Elementor WordPress plugin on the WordPress plugin repository through version 51.1.39 are affected. The vulnerability occurs in the plugin’s Pricing Slider, Pricing Calculator, and Image Accordion widgets, which are part of the King Addons for Elementor suite that offers more than 80 Elementor widgets, thousands of templates, and integrated WooCommerce enhancements.

The CVSS score of 6.4 indicates a medium impact for an attacker who already has contributor rights on the WordPress installation. EPSS of less than 1% shows that, so far, the vulnerability has not seen widespread exploitation. It is not currently in the CISA KEV catalog. Because the flaw requires authenticated access, an attacker must first obtain contributor or higher privileges, after which the vulnerability can be leveraged by creating or editing a widget that contains malicious JavaScript. Once the page is viewed by other users, the injected script runs with the visitor’s browsing context, which can lead to session hijacking, defacement, or phishing. Hence the risk is moderately high for vulnerable installations that expose contributor‑level accounts to untrusted parties.