CVE-2025-13535 is a DOM-based stored Cross-Site Scripting vulnerability identified in the King Addons for Elementor plugin, which provides over 80 Elementor widgets, thousands of templates, and features like WooCommerce integration, Mega Menu, and Popup Builder for WordPress. The vulnerability exists due to insufficient sanitization and escaping of user input in multiple widget settings and plugin features. Specifically, the plugin uses esc_attr() and esc_url() functions within inline JavaScript event handlers (such as onclick attributes), which do not prevent HTML entities from being decoded by the DOM, allowing attackers to break out of the JavaScript context. Additionally, several JavaScript files employ unsafe DOM manipulation techniques, including template literals, jQuery’s .html() method, and window.location.href assignments with unvalidated user-supplied URLs. These unsafe practices enable authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into widget settings. When a page containing the injected code is accessed or previewed in Elementor’s editor by an administrator or other users, the malicious script executes, potentially leading to session hijacking, privilege escalation, or unauthorized actions. The vulnerability affects all plugin versions up to and including 5.1.38, with a partial fix introduced in version 5.1.51. The CVSS v3.1 base score is 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (Contributor+), no user interaction, and scope change. No known exploits have been reported in the wild as of now. The vulnerability is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation).

This vulnerability allows authenticated users with Contributor-level access or higher to inject malicious JavaScript code into WordPress pages via Elementor widgets. The injected scripts execute when the page is viewed or previewed by administrators or other users, potentially leading to session hijacking, theft of sensitive information, unauthorized actions within the WordPress admin interface, or further compromise of the website. Since Contributor-level users typically have limited permissions, this vulnerability effectively elevates their ability to execute cross-site scripting attacks, undermining the integrity and confidentiality of the site and its users. The impact is significant for organizations relying on King Addons for Elementor, especially those with multiple contributors or less stringent access controls. Exploitation could lead to defacement, data leakage, or pivoting to more severe attacks. The vulnerability does not affect availability directly but can disrupt trust and operational security.

1. Immediately update the King Addons for Elementor plugin to the latest version beyond 5.1.51 where the vulnerability is partially patched; monitor vendor advisories for a full fix. 2. Restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 3. Implement strict input validation and output encoding policies for all user-generated content within Elementor widgets, especially for inline JavaScript event handlers and DOM manipulation. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 5. Regularly audit user roles and permissions in WordPress to ensure least privilege principles are enforced. 6. Use security plugins that detect and block XSS payloads or suspicious DOM manipulations. 7. Educate site administrators and developers about safe coding practices regarding JavaScript injection and DOM manipulation. 8. Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 9. Consider isolating or sandboxing the plugin’s output where feasible to limit script execution scope.