Stored Cross-Site Scripting Vulnerability in King Addons for Elementor Plugin
CVE-2026-15284
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 10 July 2026
What is CVE-2026-15284?
The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting through inadequate input sanitization in the 'form_page_id' parameter. Authenticated attackers with subscriber-level access or above can exploit this flaw in versions up to and including 51.1.62. The vulnerability arises from the add_to_submissions() function, where minimal sanitization is performed, failing to properly escape output in the king_addons_submissions_custom_column_content() function. This allows attackers to inject arbitrary web scripts that execute when users access affected pages, potentially leading to unauthorized actions or data compromise.
Affected Version(s)
King Addons for Elementor β 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder 0 <= 51.1.62