King Addons for Elementor WordPress Plugin DOM-Based Stored Cross-Site Scripting Vulnerability

A series of Contributor+ DOM-Based Stored Cross-Site Scripting vulnerabilities have been identified in the King Addons for Elementor plugin for WordPress, affecting all versions up to and including 51.1.38. These vulnerabilities arise from inadequate input sanitization and output escaping in various widgets and features. The plugin improperly uses escaping functions within JavaScript inline event handlers, allowing HTML entities to be decoded by the DOM and enabling attackers to escape the JavaScript context. Additionally, several JavaScript files manipulate the DOM unsafely with user-controlled data, creating opportunities for exploitation. Authenticated attackers with Contributor-level access or higher can inject arbitrary scripts via Elementor widget settings, which are executed when a user visits the injected page or when an administrator previews the page in Elementor's editor.

Impact

Exploitation of these vulnerabilities allows for DOM-based stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can inject scripts through the settings of various Elementor widgets. The injected scripts will execute when the page is accessed or previewed by an administrator.

Remediation

Users can update to King Addons for Elementor version 51.1.51, which includes security enhancements and addresses some of the vulnerabilities.