📄 Description (English)
The King Addons for Elementor plugin for WordPress is vulnerable to multiple Contributor+ DOM-Based Stored Cross-Site Scripting vulnerabilities in all versions up to, and including, 51.1.38. This is due to insufficient input sanitization and output escaping across multiple widgets and features. The plugin uses esc_attr() and esc_url() within JavaScript inline event handlers (onclick attributes), which allows HTML entities to be decoded by the DOM, enabling attackers to break out of the JavaScript context. Additionally, several JavaScript files use unsafe DOM manipulation methods (template literals, .html(), and window.location.href with unvalidated URLs) with user-controlled data. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts via Elementor widget settings that execute when a user accesses the injected page or when an administrator previews the page in Elementor's editor. The vulnerability was partially patched in version 5.1.51.
🤖 AI Executive Summary
King Addons for Elementor plugin contains multiple DOM-based Stored XSS vulnerabilities affecting versions up to 51.1.38, allowing authenticated Contributor+ users to inject malicious scripts through widget settings. The vulnerability exploits improper use of escaping functions within JavaScript contexts and unsafe DOM manipulation methods. While a partial patch exists in version 5.1.51, complete remediation is not yet available, posing significant risk to WordPress sites using this popular page builder addon.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 14, 2026 00:48
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WordPress with King Addons for Elementor face significant risk, particularly: (1) Government agencies and ministries using WordPress for public-facing portals and content management; (2) Banking and financial institutions using WordPress for customer-facing websites and informational portals; (3) E-commerce platforms and retail businesses relying on Elementor for website design; (4) Healthcare providers using WordPress for patient information and appointment systems; (5) Educational institutions and universities with WordPress-based learning management systems. The vulnerability is particularly dangerous in Saudi context where many organizations grant Contributor access to multiple staff members, increasing attack surface. Compromised sites could lead to credential theft, malware distribution, and reputational damage.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
E-commerce and Retail
Healthcare and Medical Services
Education and Universities
Telecommunications
Media and Publishing
Real Estate and Construction
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all WordPress installations using King Addons for Elementor plugin and identify current version
2. Restrict Contributor-level access to only trusted personnel; review and revoke unnecessary Contributor+ permissions
3. Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in Elementor widget parameters
4. Enable WordPress security plugins with XSS detection capabilities (Wordfence, Sucuri, iThemes Security)
PATCHING GUIDANCE:
1. Update to version 5.1.51 or later immediately as partial patch is available
2. Monitor King Addons GitHub/official channels for complete patch release
3. If update not available, consider disabling King Addons temporarily and using alternative page builders
4. Test all widget functionality after patching in staging environment
COMPENSATING CONTROLS (if patching delayed):
1. Implement Content Security Policy (CSP) headers to restrict inline script execution
2. Use WordPress security plugins to monitor and log all Elementor widget modifications
3. Implement database activity monitoring for widget settings changes
4. Restrict Elementor editor access to administrators only
5. Disable Elementor preview functionality for non-admin users
6. Implement regular security scanning of WordPress database for XSS payloads
DETECTION RULES:
1. Monitor wp_postmeta table for suspicious JavaScript patterns in Elementor widget settings (look for: onclick=, onerror=, onload=, javascript:, <script>
2. Alert on any Contributor+ user modifying Elementor widget settings
3. Monitor for DOM-based XSS patterns in page source: template literals with user data, .html() calls, window.location.href assignments
4. Log all changes to Elementor widget configurations and review for encoded HTML entities in event handlers
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress التي تستخدم مكون King Addons for Elementor وتحديد الإصدار الحالي
2. تقييد الوصول على مستوى المساهم للموظفين الموثوقين فقط؛ مراجعة وإلغاء أذونات المساهم+ غير الضرورية
3. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن حقن XSS وحجبها في معاملات أداة Elementor
4. تفعيل مكونات أمان WordPress مع قدرات الكشف عن XSS (Wordfence, Sucuri, iThemes Security)
إرشادات التصحيح:
1. التحديث إلى الإصدار 5.1.51 أو أحدث فوراً حيث يتوفر إصلاح جزئي
2. مراقبة قنوات King Addons الرسمية لإصدار الإصلاح الكامل
3. إذا لم يكن التحديث متاحاً، فكر في تعطيل King Addons مؤقتاً واستخدام منشئي صفحات بديلين
4. اختبر جميع وظائف الأداة بعد التصحيح في بيئة التدريج
الضوابط التعويضية (إذا تأخر التصحيح):
1. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لتقييد تنفيذ البرامج النصية المضمنة
2. استخدام مكونات أمان WordPress لمراقبة وتسجيل جميع تعديلات أداة Elementor
3. تنفيذ مراقبة نشاط قاعدة البيانات لتغييرات إعدادات الأداة
4. تقييد الوصول إلى محرر Elementor للمسؤولين فقط
5. تعطيل وظيفة معاينة Elementor للمستخدمين غير المسؤولين
6. تنفيذ فحص أمان منتظم لقاعدة بيانات WordPress بحثاً عن حمولات XSS
قواعد الكشف:
1. مراقبة جدول wp_postmeta بحثاً عن أنماط JavaScript مريبة في إعدادات أداة Elementor (ابحث عن: onclick=, onerror=, onload=, javascript:, <script>
2. تنبيه على أي مستخدم Contributor+ يعدل إعدادات أداة Elementor
3. مراقبة أنماط XSS القائمة على DOM في مصدر الصفحة: حروف القالب مع بيانات المستخدم، استدعاءات .html()، تعيينات window.location.href
4. تسجيل جميع التغييرات على تكوينات أداة Elementor ومراجعتها بحثاً عن كيانات HTML المشفرة في معالجات الأحداث
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.1.1 - Input validation and output encoding controls
5.1.2 - Protection against injection attacks
5.2.1 - Web application security controls
5.2.2 - Secure coding practices
5.3.1 - Vulnerability management and patching
🔵 SAMA CSF
ID.BE-5.1 - Cybersecurity risk management processes
PR.DS-1.1 - Data security and protection
PR.DS-6.1 - Integrity checking mechanisms
DE.CM-1.1 - Detection and analysis of anomalies
RS.MI-2.1 - Incident response and recovery
🟡 ISO 27001:2022
A.14.2.1 - Secure development policy
A.14.2.5 - Secure development environment
A.14.3.1 - Separation of development, test and production environments
A.12.6.1 - Management of technical vulnerabilities
A.12.2.1 - Restriction of access to information
🟣 PCI DSS v4.0.1
6.5.1 - Injection flaws prevention
6.5.7 - Cross-site scripting (XSS) prevention
6.2 - Security patches and updates
11.2 - Vulnerability scanning
🔗 References & Sources 11
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/king-addons/tags/51.1.38/includes/assets/lib...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/king-addons/tags/51.1.38/includes/features/W...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/king-addons/tags/51.1.38/includes/widgets/Co...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/king-addons/tags/51.1.38/includes/widgets/Im...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/king-addons/tags/51.1.38/includes/widgets/Of...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/king-addons/tags/51.1.38/includes/widgets/Po...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/king-addons/tags/51.1.38/includes/widgets/Pr...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/king-addons/tags/51.1.38/includes/widgets/Vi...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3438067/
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3441952/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/95d3e76c-612d-436c-9d32-6228d...
security@wordfence.com