CVE-2026-48870

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in the King Addons for Elementor plugin for WordPress, affecting versions up to and including 51.1.62. The flaw allows users with Subscriber-level access to inject arbitrary HTML and JavaScript code via unsanitized input fields. The injected payload is stored on the server and executed when the affected page is viewed by another user [1].

Exploitation

An attacker must have a Subscriber account on the target WordPress site to exploit this vulnerability. The attacker submits crafted input containing malicious JavaScript through a vulnerable form or field. Successful exploitation requires a privileged user (e.g., Administrator) to subsequently view the page where the payload is stored, such as in the WordPress admin dashboard. The attacker does not need direct interaction with the victim; the payload triggers automatically upon page load [1].

Impact

If exploited, an attacker can execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, website defacement, redirection to malicious sites, injection of advertisements, or theft of sensitive information. The attack can compromise both site administrators and regular visitors, potentially leading to full site takeover if an administrator's session is hijacked [1].

Mitigation

The vulnerability is fixed in version 51.1.63 of the plugin. Users are strongly advised to update immediately. Patchstack has also released a virtual mitigation rule to block attacks until the update is applied. No other workarounds are documented; if updating is not possible, consider disabling the plugin or using a web application firewall to filter malicious input [1].