WordPress Plugin Vulnerabilities

King Addons for Elementor <= 51.1.58 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
king-addons
No known fix

References

CVE
CVE-2025-62887
URL
https://vdp.patchstack.com/database/Wordpress/Plugin/king-addons/vulnerability/wordpress-king-addons-for-elementor-plugin-51-1-37-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Abu Hurayra (HurayraIIT)
Verified
No
WPVDB ID
71da55fe-d243-45f5-8cf0-1931f5793552

Timeline

Publicly Published
2025-08-18 (about 10 months ago)
Added
2025-10-29 (about 7 months ago)
Last Updated
2026-02-18 (about 4 months ago)

Other

Published
Title
Published
2026-03-04
Title
OoohBoi Steroids for Elementor < 2.1.25 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple URL Controls
Published
2023-09-06
Title
User Submitted Posts < 20230902 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2021-04-13
Title
All-in-One Addons for Elementor - WidgetKit < 2.3.10 - Contributor+ Stored XSS
Published
2024-03-13
Title
Contact Form by BestWebSoft < 4.2.9 - Reflected Cross-Site Scripting via cntctfrm_contact_subject
Published
2026-03-18
Title
Draft List < 2.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'display_name' Parameter