CVE-2025-13997 PUBLISHED

King Addons for Elementor <= 51.1.49 - Unauthenticated API Keys Disclosure

Assigner: Wordfence
Reserved: 03.12.2025 Published: 23.03.2026 Updated: 23.03.2026

The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions up to, and including, 51.1.49 due to the plugin adding the API keys to the HTML source code via render_full_form function. This makes it possible for unauthenticated attackers to extract site's Mailchimp, Facebook and Google API keys and secrets. This vulnerability requires the Premium license to be installed

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	kingaddons
Product	King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder
Versions	Default: unaffected affected from * to 51.1.49 (incl.)

CVE-2025-13997 PUBLISHED

King Addons for Elementor <= 51.1.49 - Unauthenticated API Keys Disclosure

Metrics

Product Status

Credits

References

Problem Types