CVE-2025-13997 MEDIUM

CVE-2025-13997: King Addons for Elementor <= 51.1.49 - Unauthenticated API Keys Disclosure

Vendor Kingaddons

Product King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder

Weakness CWE-200 · Info exposure

Published March 23, 2026

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

Description

The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions up to, and including, 51.1.49 due to the plugin adding the API keys to the HTML source code via render_full_form function. This makes it possible for unauthenticated attackers to extract site's Mailchimp, Facebook and Google API keys and secrets. This vulnerability requires the Premium license to be installed

Key dates

Disclosure timeline

March 23, 2026 CVE published

April 8, 2026 Record updated

Identifiers

CVE CVE-2025-13997

CWE CWE-200

CVSS 5.3 / MEDIUM

Affected versions

Vendor Kingaddons

Product King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder

Affected ≤ 51.1.49