PatchSiren cyber security CVE debrief
CVE-2026-15284 kingaddons CVE debrief
The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_page_id' parameter in versions up to, and including, 51.1.62. This is due to insufficient input sanitization in the add_to_submissions() function, which applies sanitize_text_field() (preserving double-quote characters) before storing the value in post meta, combined with missing output escaping in the king_addons_submissions_custom_column_content() function, concatenating the stored value into an HTML href attribute via admin_url() without wrapping the result in esc_url(). Authenticated attackers with subscriber-level access and above can inject arbitrary web scripts in pages that execute when a user accesses an injected page.
- Vendor
- kingaddons
- Product
- King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of the King Addons for Elementor plugin for WordPress should update to a patched version to prevent exploitation. Site administrators and security teams should prioritize patching, especially if subscriber-level access or higher is available to users.
Technical summary
The vulnerability exists in the King Addons for Elementor plugin for WordPress versions up to and including 51.1.62. The 'form_page_id' parameter is vulnerable to Stored Cross-Site Scripting (XSS). The issue arises from inadequate input sanitization in the add_to_submissions() function, which uses sanitize_text_field(). This function preserves double-quote characters before storing values in post meta. Additionally, the king_addons_submissions_custom_column_content() function lacks output escaping. It directly concatenates stored values into an HTML href attribute using admin_url() without proper esc_url() wrapping. This allows authenticated attackers with subscriber-level access or higher to inject arbitrary web scripts. These scripts execute when users access injected pages.
Defensive priority
Medium priority due to the CVSS score of 6.4 and the potential for authenticated users to inject malicious scripts.
Recommended defensive actions
- Update the King Addons for Elementor plugin to a version beyond 51.1.62.
- Restrict access to the WordPress admin area to trusted users only.
- Implement additional monitoring for suspicious page accesses or modifications.
- Consider using a Web Application Firewall (WAF) to detect and prevent XSS attacks.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-07-10T05:16:31.067Z and was last modified on 2026-07-10T21:16:53.823Z. The NVD entry is currently Deferred. Multiple references are provided from Wordfence and WordPress Trac, detailing the vulnerable code and patches.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T05:16:31.067Z and has not been modified since then. The NVD entry is currently Deferred.