CVE-2025-13997: Unauthenticated API Key Disclosure in King Addons for Elementor
A King Addons for Elementor issue where API keys were exposed in rendered page source.
CVE-2025-13997 is an unauthenticated API key disclosure issue in the King Addons for Elementor WordPress plugin.
The public advisory describes the bug as sensitive information exposure in versions up to and including 51.1.49. The issue came from API keys being added to the HTML source through the render_full_form function. Wordfence rated it 5.3 medium severity and notes that the premium license is required for the vulnerable feature path.
The bug
This was not an authentication bypass or a direct WordPress account takeover. The problem was simpler and still important: secrets that should have stayed server-side were exposed to unauthenticated visitors through generated frontend markup.
According to the advisory, the exposed material could include Mailchimp, Facebook, and Google API keys or secrets. The important boundary here is the rendering boundary. If a value lands in the page source, it should be treated as public.
Why it mattered
API keys in page source are easy to miss during normal QA because the page can look fine in the browser. The risk is in what the HTML quietly carries with it.
Depending on how a site configured the affected integrations, leaked keys could expose third-party service access, campaign data, form integration secrets, or other connected-account material. The WordPress bug is the disclosure point, but the real blast radius can extend into the external services tied to the site.
Fix
King Addons for Elementor patched the issue in version 51.1.51. Site owners should update to 51.1.51 or newer and rotate any exposed third-party API keys if they used the affected premium form functionality.