CVE-2026-15284 in King Addons for Elementor Plugininfo

Summary

by MITRE • 07/10/2026

The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_page_id' parameter in versions up to, and including, 51.1.62 This is due to insufficient input sanitization in the add_to_submissions() function, which applies sanitize_text_field() (which preserves double-quote characters) before storing the value in post meta, combined with missing output escaping in the king_addons_submissions_custom_column_content() function, which concatenates the stored value into an HTML href attribute via admin_url() without wrapping the result in esc_url(). This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability in King Addons for Elementor plugin represents a critical stored cross-site scripting flaw that enables authenticated attackers to execute malicious scripts within the WordPress administration interface. This security weakness affects versions up to and including 51.1.62 and stems from inadequate input validation mechanisms within the plugin's core functionality. The vulnerability specifically targets the add_to_submissions() function where user-supplied data undergoes insufficient sanitization processes, creating an attack vector that can be exploited by users with subscriber-level permissions or higher.

The technical implementation of this vulnerability involves a multi-step exploitation process that begins with improper input handling in the form_page_id parameter. The plugin's developers applied sanitize_text_field() function which, while designed to remove potentially harmful characters, fails to adequately strip double-quote characters that are essential for crafting cross-site scripting attacks. This sanitization method preserves dangerous characters that can be leveraged to inject malicious payloads into the WordPress database through post meta storage mechanisms. The stored data then flows into the king_addons_submissions_custom_column_content() function where the vulnerability manifests through missing output escaping procedures.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with persistent access to the WordPress administration environment. When authenticated users browse pages containing maliciously injected scripts, these payloads execute in the context of the victim's browser session, potentially enabling full administrative control over the affected WordPress site. The attack surface is particularly concerning because it requires only subscriber-level privileges, making it accessible to a broad range of potential attackers who may have legitimate access to the system but lack elevated permissions.

The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting conditions where insufficient output escaping allows malicious scripts to be executed in web browsers. This weakness also maps to ATT&CK technique T1548.002 related to abuse of group privileges, as the attack leverages existing user permissions rather than requiring privilege escalation. The exploitation pathway demonstrates a classic stored XSS pattern where malicious input is first stored in the application's database and then retrieved during normal user operations, creating an automated execution mechanism that persists across multiple user sessions.

Mitigation strategies should focus on immediate code-level fixes including proper input validation that removes all potentially dangerous characters before data storage, comprehensive output escaping for all dynamic content rendered in HTML contexts, and implementation of Content Security Policy headers to limit script execution. Additionally, administrators should implement strict access controls and monitoring procedures to detect unauthorized modifications to plugin components, while regular security audits should verify that similar sanitization gaps do not exist in other parts of the WordPress installation. The most effective immediate solution involves updating to patched versions of the plugin where developers have implemented proper sanitization and escaping mechanisms to prevent the persistence and execution of malicious scripts.

Responsible

Wordfence

Reservation

07/09/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!