Description
Subscriber Cross Site Scripting (XSS) in King Addons for Elementor <= 51.1.62 versions.
Published: 2026-06-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability exists in King Addons for Elementor versions up to 51.1.62 that permits the injection of arbitrary JavaScript into subscriber‑provided fields. The flaw allows an attacker to embed malicious code that will execute in the browser of any user who views the affected content, potentially compromising user accounts, stealing credentials, or spreading malware. This weakness aligns with CWE‑79 and represents a classic stored XSS scenario.

Affected Systems

The affected product is the King Addons for Elementor plugin for WordPress. Versions 51.1.62 and earlier are vulnerable; any WordPress site using these releases is at risk. The plugin is distributed under the vendor name King Addons.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score is less than 1 %, suggesting a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, so there is no evidence of active exploitation campaigns utilizing this flaw. The attack vector is likely through the subscriber interface, where user‑supplied data is inserted into the database without proper encoding. An attacker with access to that interface can inject malicious scripts that will persist until the data is removed or the plugin is updated. The risk is therefore limited to sites that allow unauthenticated users to post content or to administrators who fail to disable the vulnerable fields or update the plugin.

Generated by OpenCVE AI on June 16, 2026 at 20:29 UTC.

Remediation

Vendor Solution

Update the WordPress King Addons for Elementor Plugin to the latest available version (at least 51.1.63).

OpenCVE Recommended Actions

  • Update King Addons for Elementor to version 51.1.63 or newer, which removes the injection flaw.
  • Review and sanitize all subscriber‑supplied content in the plugin to ensure that no script tags or event handlers are echoed unescaped.
  • Audit custom widgets or themes that integrate with King Addons and apply proper output encoding to any data rendered by the plugin.

Generated by OpenCVE AI on June 16, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Kingaddons
Kingaddons king Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Kingaddons
Kingaddons king Addons For Elementor
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber Cross Site Scripting (XSS) in King Addons for Elementor <= 51.1.62 versions.
Title WordPress King Addons for Elementor plugin <= 51.1.62 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Kingaddons King Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T14:33:26.545Z

Reserved: 2026-05-25T22:10:00.865Z

Link: CVE-2026-48870

cve-icon Vulnrichment

Updated: 2026-06-16T14:33:21.661Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:16.440

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-48870

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:30:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')