CVE-2026-48870 Overview
CVE-2026-48870 is a stored Cross-Site Scripting (XSS) vulnerability affecting the King Addons for Elementor WordPress plugin in versions up to and including 51.1.62. The flaw is categorized under [CWE-79] and allows an authenticated attacker with Subscriber-level privileges to inject malicious script content that executes in the browsers of other site users. Exploitation requires user interaction, but the scope-changing nature of the issue means injected scripts can affect resources beyond the attacker's own privilege boundary.
Critical Impact
A Subscriber-level account can inject persistent JavaScript that executes against administrators or visitors, enabling session theft, forced administrative actions, and content redirection on WordPress sites running the affected plugin.
Affected Products
- King Addons for Elementor WordPress plugin versions <= 51.1.62
- WordPress installations with the plugin activated and Subscriber registration enabled
- Sites where untrusted users hold Subscriber or higher roles
Discovery Timeline
- 2026-06-15 - CVE-2026-48870 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-48870
Vulnerability Analysis
The vulnerability is a stored Cross-Site Scripting flaw in the King Addons for Elementor plugin. The plugin fails to sanitize and escape user-supplied input on at least one input vector accessible to authenticated users at the Subscriber role. An attacker submits crafted payloads containing HTML or JavaScript that the plugin later renders without proper output encoding. When an administrator or another visitor views the affected page, the browser parses and executes the attacker's script in the context of the WordPress site.
The attack requires network access, low privileges, and a single user interaction such as loading a page that contains the stored payload. Because the issue causes a scope change, the injected script can influence resources controlled by a more privileged user, including the WordPress administration interface.
The EPSS probability of exploitation is approximately 0.205%, indicating low current observed exploit activity.
Root Cause
The root cause is missing or insufficient input sanitization and output escaping in plugin code paths reachable by Subscriber-level accounts. WordPress provides functions such as wp_kses_post(), esc_html(), and esc_attr() for safe rendering, but the affected plugin code does not apply these consistently to attacker-controlled fields before storage or display.
Attack Vector
An attacker first registers or obtains a Subscriber account on a target WordPress site running King Addons for Elementor <= 51.1.62. The attacker submits a payload through an input handled by the plugin. The payload is stored on the server and later rendered into a page viewed by another user. When that user loads the page, the malicious script executes in their browser session.
No verified public exploit code is available for CVE-2026-48870. Refer to the Patchstack Vulnerability Report for additional vendor-coordinated details.
Detection Methods for CVE-2026-48870
Indicators of Compromise
- Unexpected <script> tags, javascript: URIs, or event handler attributes such as onerror= and onload= stored in WordPress post meta, options, or plugin-specific tables
- New or modified administrator accounts appearing shortly after a Subscriber user submitted content
- Outbound browser requests from administrator sessions to unfamiliar third-party domains
- WordPress audit log entries showing Subscriber accounts editing or submitting content through King Addons for Elementor components
Detection Strategies
- Scan the wp_posts, wp_postmeta, and plugin-specific tables for HTML event handlers and script tags using regular-expression queries
- Deploy a Web Application Firewall (WAF) rule set that flags XSS payload patterns in POST requests targeting plugin endpoints
- Enable WordPress activity logging to correlate Subscriber submissions with administrator page views
Monitoring Recommendations
- Monitor HTTP request bodies to admin-ajax.php and REST API routes registered by King Addons for Elementor for HTML-encoded payloads
- Alert on Content Security Policy (CSP) violation reports originating from the WordPress admin interface
- Track new Subscriber registrations followed by content submission events within short time windows
How to Mitigate CVE-2026-48870
Immediate Actions Required
- Update King Addons for Elementor to a version newer than 51.1.62 as soon as a patched release is published by the vendor
- Disable open user registration or restrict the default new-user role away from Subscriber where business requirements allow
- Review existing Subscriber accounts and remove any that are unrecognized or inactive
- Audit stored plugin content for injected script tags and remove malicious entries
Patch Information
Consult the Patchstack Vulnerability Report for the current fixed version and vendor remediation guidance. Apply the patched plugin release through the WordPress plugin updater once available.
Workarounds
- Deploy a WAF rule that blocks script tags and JavaScript event handlers in requests to King Addons for Elementor endpoints
- Enforce a strict Content Security Policy that disallows inline scripts on the WordPress front end and admin interface
- Temporarily deactivate the King Addons for Elementor plugin on sites that allow public registration until a fixed release is installed
- Use the WordPress DISALLOW_UNFILTERED_HTML constant in wp-config.php to limit HTML submission by lower-privileged users
# Configuration example - wp-config.php hardening
define( 'DISALLOW_UNFILTERED_HTML', true );
define( 'DISALLOW_FILE_EDIT', true );
# Restrict default registration role via wp-cli
wp option update default_role 'subscriber'
wp option update users_can_register 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

