Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-48870

CVE-2026-48870: King Addons for Elementor XSS Vulnerability

CVE-2026-48870 is a subscriber-level cross-site scripting flaw in King Addons for Elementor affecting versions 51.1.62 and below. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-48870 Overview

CVE-2026-48870 is a stored Cross-Site Scripting (XSS) vulnerability affecting the King Addons for Elementor WordPress plugin in versions up to and including 51.1.62. The flaw is categorized under [CWE-79] and allows an authenticated attacker with Subscriber-level privileges to inject malicious script content that executes in the browsers of other site users. Exploitation requires user interaction, but the scope-changing nature of the issue means injected scripts can affect resources beyond the attacker's own privilege boundary.

Critical Impact

A Subscriber-level account can inject persistent JavaScript that executes against administrators or visitors, enabling session theft, forced administrative actions, and content redirection on WordPress sites running the affected plugin.

Affected Products

  • King Addons for Elementor WordPress plugin versions <= 51.1.62
  • WordPress installations with the plugin activated and Subscriber registration enabled
  • Sites where untrusted users hold Subscriber or higher roles

Discovery Timeline

  • 2026-06-15 - CVE-2026-48870 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-48870

Vulnerability Analysis

The vulnerability is a stored Cross-Site Scripting flaw in the King Addons for Elementor plugin. The plugin fails to sanitize and escape user-supplied input on at least one input vector accessible to authenticated users at the Subscriber role. An attacker submits crafted payloads containing HTML or JavaScript that the plugin later renders without proper output encoding. When an administrator or another visitor views the affected page, the browser parses and executes the attacker's script in the context of the WordPress site.

The attack requires network access, low privileges, and a single user interaction such as loading a page that contains the stored payload. Because the issue causes a scope change, the injected script can influence resources controlled by a more privileged user, including the WordPress administration interface.

The EPSS probability of exploitation is approximately 0.205%, indicating low current observed exploit activity.

Root Cause

The root cause is missing or insufficient input sanitization and output escaping in plugin code paths reachable by Subscriber-level accounts. WordPress provides functions such as wp_kses_post(), esc_html(), and esc_attr() for safe rendering, but the affected plugin code does not apply these consistently to attacker-controlled fields before storage or display.

Attack Vector

An attacker first registers or obtains a Subscriber account on a target WordPress site running King Addons for Elementor <= 51.1.62. The attacker submits a payload through an input handled by the plugin. The payload is stored on the server and later rendered into a page viewed by another user. When that user loads the page, the malicious script executes in their browser session.

No verified public exploit code is available for CVE-2026-48870. Refer to the Patchstack Vulnerability Report for additional vendor-coordinated details.

Detection Methods for CVE-2026-48870

Indicators of Compromise

  • Unexpected <script> tags, javascript: URIs, or event handler attributes such as onerror= and onload= stored in WordPress post meta, options, or plugin-specific tables
  • New or modified administrator accounts appearing shortly after a Subscriber user submitted content
  • Outbound browser requests from administrator sessions to unfamiliar third-party domains
  • WordPress audit log entries showing Subscriber accounts editing or submitting content through King Addons for Elementor components

Detection Strategies

  • Scan the wp_posts, wp_postmeta, and plugin-specific tables for HTML event handlers and script tags using regular-expression queries
  • Deploy a Web Application Firewall (WAF) rule set that flags XSS payload patterns in POST requests targeting plugin endpoints
  • Enable WordPress activity logging to correlate Subscriber submissions with administrator page views

Monitoring Recommendations

  • Monitor HTTP request bodies to admin-ajax.php and REST API routes registered by King Addons for Elementor for HTML-encoded payloads
  • Alert on Content Security Policy (CSP) violation reports originating from the WordPress admin interface
  • Track new Subscriber registrations followed by content submission events within short time windows

How to Mitigate CVE-2026-48870

Immediate Actions Required

  • Update King Addons for Elementor to a version newer than 51.1.62 as soon as a patched release is published by the vendor
  • Disable open user registration or restrict the default new-user role away from Subscriber where business requirements allow
  • Review existing Subscriber accounts and remove any that are unrecognized or inactive
  • Audit stored plugin content for injected script tags and remove malicious entries

Patch Information

Consult the Patchstack Vulnerability Report for the current fixed version and vendor remediation guidance. Apply the patched plugin release through the WordPress plugin updater once available.

Workarounds

  • Deploy a WAF rule that blocks script tags and JavaScript event handlers in requests to King Addons for Elementor endpoints
  • Enforce a strict Content Security Policy that disallows inline scripts on the WordPress front end and admin interface
  • Temporarily deactivate the King Addons for Elementor plugin on sites that allow public registration until a fixed release is installed
  • Use the WordPress DISALLOW_UNFILTERED_HTML constant in wp-config.php to limit HTML submission by lower-privileged users
bash
# Configuration example - wp-config.php hardening
define( 'DISALLOW_UNFILTERED_HTML', true );
define( 'DISALLOW_FILE_EDIT', true );

# Restrict default registration role via wp-cli
wp option update default_role 'subscriber'
wp option update users_can_register 0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.