CVE-2025-13997 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the King Addons for Elementor WordPress plugin, which provides over 80 Elementor widgets and thousands of templates. The vulnerability exists in all versions up to 51.1.49 and stems from the plugin’s render_full_form function, which inadvertently includes sensitive API keys (Mailchimp, Facebook, Google) directly in the HTML source code of web pages. This exposure occurs without requiring any authentication or user interaction, making it trivially accessible to any attacker who can view the page source. The vulnerability specifically affects installations with the Premium license enabled, as the API keys are only embedded in that context. The CVSS 3.1 base score is 5.3 (medium severity), reflecting the ease of access (network vector, no privileges required) but limited impact (only confidentiality affected, no integrity or availability impact). Although no public exploits have been reported, the exposed API keys could be used by attackers to access or manipulate third-party services integrated with the affected site, potentially leading to data leakage, unauthorized marketing campaigns, or further compromise. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps. This vulnerability highlights the risks of improper handling of sensitive credentials in web applications and the importance of secure coding practices in plugin development.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive API keys used for Mailchimp, Facebook, and Google integrations. Attackers gaining access to these keys could abuse third-party services, potentially sending unauthorized marketing emails, manipulating social media accounts, or accessing analytics data. This can lead to reputational damage, data leakage, and financial losses for organizations relying on these services. Since the vulnerability does not affect integrity or availability directly, the immediate system disruption risk is low; however, the confidentiality breach can facilitate further attacks or fraud. Organizations with high reliance on these integrations, especially e-commerce sites using WooCommerce or sites with extensive marketing automation, are at greater risk. The vulnerability’s ease of exploitation (no authentication or user interaction required) increases the likelihood of opportunistic attacks. The absence of known exploits in the wild currently limits immediate widespread impact, but the exposure window remains critical until remediated.

1. Immediately audit all instances of King Addons for Elementor with Premium licenses to identify affected versions. 2. If available, apply vendor patches or updates addressing this vulnerability as soon as they are released. 3. In the absence of patches, disable or remove the Premium license features that cause API keys to be embedded in HTML source. 4. Rotate all exposed API keys (Mailchimp, Facebook, Google) to invalidate compromised credentials. 5. Implement Content Security Policy (CSP) headers to limit the impact of exposed keys and reduce the risk of further exploitation. 6. Review and restrict API key permissions to the minimum necessary scope to limit potential damage if keys are compromised. 7. Monitor logs and third-party service accounts for suspicious activity indicative of key misuse. 8. Educate developers and administrators on secure handling of sensitive credentials to prevent similar issues. 9. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block attempts to scrape API keys from HTML source. 10. Regularly scan web pages for inadvertent exposure of sensitive information as part of security hygiene.