Attack Vectors

CVE-2025-13997 is a Medium-severity vulnerability (CVSS 5.3) affecting the WordPress plugin King Addons for Elementor – 80+ Elementor Widgets, 4,000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder (slug: king-addons) in versions up to and including 51.1.49.

The primary risk is unauthenticated access (no login required). If your site has the Premium license installed, an external attacker can potentially retrieve exposed third-party integration credentials by viewing or scraping page source where the affected functionality is used.

Security Weakness

The issue stems from the plugin adding sensitive values to the site’s HTML output via its render_full_form function. As a result, API keys and secrets can appear in the rendered page source and be visible to anyone who can access the page.

According to the advisory, the exposed items may include Mailchimp, Facebook, and Google API keys and secrets. While this is not described as a full site takeover vulnerability on its own, it is a meaningful weakness because it can silently leak credentials that connect your website to external marketing and advertising platforms.

Official references: CVE Record and Wordfence advisory.

Technical or Business Impacts

Marketing and revenue risk: Exposed Mailchimp, Facebook, or Google credentials can be abused to access or manipulate campaigns, audiences, tracking, or integrations—potentially driving unauthorized spend, disrupting lead flow, or degrading attribution.

Data and compliance exposure: If a third-party platform account is accessed using leaked secrets, it may lead to unauthorized access to customer/contact data or analytics data, triggering incident response, contractual notifications, or regulatory scrutiny depending on what was accessible through those integrations.

Brand damage and operational disruption: Compromised marketing accounts can result in fraudulent ads, defaced landing experiences, or phishing-like messaging sent to audiences—often noticed publicly before it’s fully contained.

Recommended action: Update King Addons for Elementor to version 51.1.51 or newer (patched). After updating, review whether any API keys or app secrets were exposed and consider rotating credentials for Mailchimp/Facebook/Google as a precaution, especially if affected forms/widgets were public.

Similar attacks (real-world examples): Credential leaks and key exposure have repeatedly led to major downstream abuse, such as the Capital One 2019 incident involving cloud access misuse, the Uber 2016 breach disclosure where credential handling failures played a role, and the SolarWinds supply-chain compromise demonstrating how attackers leverage access paths that organizations don’t expect to be externally reachable.