Stored Cross-Site Scripting Vulnerability in King Addons for Elementor Plugin
CVE-2026-15284

6.4MEDIUM

What is CVE-2026-15284?

The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting through inadequate input sanitization in the 'form_page_id' parameter. Authenticated attackers with subscriber-level access or above can exploit this flaw in versions up to and including 51.1.62. The vulnerability arises from the add_to_submissions() function, where minimal sanitization is performed, failing to properly escape output in the king_addons_submissions_custom_column_content() function. This allows attackers to inject arbitrary web scripts that execute when users access affected pages, potentially leading to unauthorized actions or data compromise.

Affected Version(s)

King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder 0 <= 51.1.62

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Naoya Takahashi (nakko)
.