PatchSiren

kingaddons CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM kingaddons CVE published 2026-07-10

CVE-2026-15284

The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_page_id' parameter in versions up to, and including, 51.1.62. This is due to insufficient input sanitization in the add_to_submissions() function, which applies sanitize_text_field() (preserving double-quote characters) before storing the value in post meta, combined with missing output escaping i [truncated]