King Addons for Elementor < 51.1.51 – Unauthenticated API Keys Disclosure | CVE 2025-13997 | Plugin Vulnerabilities

Description

The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions up to, and including, 51.1.49 due to the plugin adding the API keys to the HTML source code via render_full_form function. This makes it possible for unauthenticated attackers to extract site's Mailchimp, Facebook and Google API keys and secrets.
This vulnerability requires the Premium license to be installed

Affects Plugins

Fixed in 51.1.51

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7955b162-ed0f-4455-a429-ed292771c701

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Ulyses Saicha

Verified

No

WPVDB ID

a864148c-f727-4645-8d9d-c3aaad5463ff

Timeline

Publicly Published

2026-03-22 (about 3 months ago)

Added

2026-03-22 (about 3 months ago)

Last Updated

2026-03-23 (about 3 months ago)

Other

Published

Title

Published

2024-08-16

Title

Flash & HTML5 Video < 2.5.32 - Authenticated (Subscriber+) Information Exposure

Published

2025-01-08

Title

WP Database Backup < 7.4 - Unauthenticated Database Back-Up Exposure

Published

2026-06-17

Title

Kadence Blocks < 3.7.6 - Contributor+ Sensitive Information Exposure via Block Editor proData Localization

Published

2024-06-19

Title

phpinfo() WP < 6.0 - Unauthenticated Information Exposure

Published

2024-07-15

Title

AForms < 2.2.7 - Unauthenticated Full Path Disclosure