📄 Description (English)
The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions up to, and including, 51.1.49 due to the plugin adding the API keys to the HTML source code via render_full_form function. This makes it possible for unauthenticated attackers to extract site's Mailchimp, Facebook and Google API keys and secrets.
This vulnerability requires the Premium license to be installed
🤖 AI Executive Summary
The King Addons for Elementor WordPress plugin (versions up to 51.1.49) exposes API keys for Mailchimp, Facebook, and Google in HTML source code, allowing unauthenticated attackers to extract sensitive credentials. This vulnerability affects WordPress sites using the Premium license and could lead to unauthorized access to third-party services and data breaches. While currently unpatched, the medium CVSS score (5.3) reflects the requirement for attackers to have network access and the need for Premium license installation.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 29, 2026 10:07
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WordPress with King Addons Premium license face credential exposure risks, particularly affecting: (1) E-commerce and digital marketing sectors relying on Mailchimp for customer communications; (2) Government and banking institutions using Facebook/Google APIs for digital services; (3) Healthcare providers using third-party integrations for patient engagement; (4) Telecom companies (STC, Mobily) managing customer data through integrated platforms. The exposure of API keys could lead to unauthorized access to customer databases, email marketing systems, and analytics platforms, violating SAMA and NCA data protection requirements.
🏢 Affected Saudi Sectors
E-commerce and Digital Marketing
Banking and Financial Services
Government and Public Sector
Healthcare and Medical Services
Telecommunications
Hospitality and Tourism
Education and Universities
Media and Publishing
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all WordPress installations using King Addons Premium to identify affected versions (≤51.1.49)
2. Review HTML source code of affected pages for exposed API keys using: grep -r 'api_key\|access_token\|secret' or browser developer tools (F12 > View Page Source)
3. Immediately rotate all exposed Mailchimp, Facebook, and Google API keys in respective service consoles
4. Check API usage logs for unauthorized access patterns in the past 30-90 days
COMPENSATING CONTROLS (until patch available):
5. Disable King Addons Premium plugin temporarily if not critical to operations
6. Implement Web Application Firewall (WAF) rules to block API key patterns in HTTP responses
7. Restrict plugin access via .htaccess: deny access to plugin directories containing sensitive data
8. Use environment variables instead of hardcoded API keys; implement secrets management solution
9. Enable API key rotation policies with 30-day expiration cycles
10. Implement Content Security Policy (CSP) headers to prevent credential exfiltration
DETECTION RULES:
- Monitor for unusual API activity from exposed credentials (failed auth attempts, geographic anomalies)
- Alert on HTML responses containing patterns: 'sk_live_', 'pk_live_', 'AIza', 'mc_cid'
- Log all access to /wp-content/plugins/king-addons/ directory
- Monitor outbound connections to Mailchimp, Facebook, Google APIs for unauthorized requests
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress التي تستخدم King Addons Premium لتحديد الإصدارات المتأثرة (≤51.1.49)
2. مراجعة كود HTML للصفحات المتأثرة للبحث عن مفاتيح API المكشوفة باستخدام: grep -r 'api_key\|access_token\|secret' أو أدوات المتصفح (F12 > عرض مصدر الصفحة)
3. تدوير جميع مفاتيح Mailchimp و Facebook و Google API المكشوفة في أنظمة الخدمات الخاصة بها فوراً
4. التحقق من سجلات استخدام API للوصول غير المصرح به في آخر 30-90 يوماً
الضوابط التعويضية (حتى توفر التصحيح):
5. تعطيل إضافة King Addons Premium مؤقتاً إذا لم تكن حرجة للعمليات
6. تنفيذ قواعد جدار الحماية (WAF) لحجب أنماط مفاتيح API في استجابات HTTP
7. تقييد وصول الإضافة عبر .htaccess: منع الوصول إلى دلائل الإضافات التي تحتوي على بيانات حساسة
8. استخدام متغيرات البيئة بدلاً من مفاتيح API المشفرة؛ تنفيذ حل إدارة الأسرار
9. تفعيل سياسات تدوير مفاتيح API مع دورات انتهاء الصلاحية لمدة 30 يوماً
10. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لمنع تسرب بيانات الاعتماد
قواعد الكشف:
- مراقبة نشاط API غير العادي من بيانات الاعتماد المكشوفة (محاولات المصادقة الفاشلة، الشذوذ الجغرافي)
- التنبيه على استجابات HTML تحتوي على أنماط: 'sk_live_', 'pk_live_', 'AIza', 'mc_cid'
- تسجيل جميع الوصول إلى دليل /wp-content/plugins/king-addons/
- مراقبة الاتصالات الصادرة إلى واجهات برمجة تطبيقات Mailchimp و Facebook و Google للطلبات غير المصرح بها
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Information Security Policies and Procedures
ECC 2024 A.6.1.2 - Access Control and Authentication
ECC 2024 A.8.2.1 - Classification and Handling of Information Assets
ECC 2024 A.8.3.2 - Encryption and Cryptography
ECC 2024 A.12.4.1 - Event Logging and Monitoring
🔵 SAMA CSF
SAMA CSF Governance - Information Security Governance
SAMA CSF Protect - Access Control and Authentication
SAMA CSF Protect - Data Protection and Privacy
SAMA CSF Detect - Security Monitoring and Logging
SAMA CSF Respond - Incident Response and Management
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for Information Security
ISO 27001:2022 A.6.1 - Screening and Approval
ISO 27001:2022 A.8.1 - User Endpoint Devices
ISO 27001:2022 A.8.2 - Privileged Access Rights
ISO 27001:2022 A.8.3 - Information Access Restriction
ISO 27001:2022 A.12.4 - Logging
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Security Configuration Standards
PCI DSS 3.2 - Encryption of Cardholder Data
PCI DSS 6.2 - Security Patches and Updates
PCI DSS 10.2 - Logging and Monitoring