top of page
Search

WordPress King Addons Plugin Vulnerability Allows Admin Takeover

  • Dec 3, 2025
  • 1 min read

Key Findings


  • A critical vulnerability, CVE-2025-8489 (CVSS score of 9.8), has been discovered in the WordPress plugin King Addons for Elementor.

  • The flaw allows unauthenticated users to register and instantly gain admin privileges on WordPress sites.

  • Threat actors are actively exploiting the vulnerability, with the Wordfence Firewall blocking over 48,400 exploit attempts since the issue was disclosed.

  • The vulnerability is a privilege escalation issue in versions 24.12.92 to 51.1.14, due to the plugin not properly restricting the roles that users can register with.

  • Successful exploitation can enable attackers to take full control of the site, upload malicious code, distribute malware, redirect visitors, or inject spam.


Background


King Addons for Elementor is a third-party WordPress plugin designed to extend the features of the popular Elementor page builder. It provides users with extra widgets, templates, visual effects, and design tools. The plugin is installed on over 10,000 websites.


Vulnerability Details


The vulnerability lies in the "handle_register_ajax()" function of the plugin. Attackers can send a crafted request to "/wp-admin/admin-ajax.php" specifying the "administrator" role, granting themselves full admin privileges.


Exploitation and Mitigation


Wordfence researchers warn that threat actors are actively exploiting the vulnerability, with over 48,400 exploit attempts blocked since the issue was disclosed. The attacks have originated from several IP addresses, including 45.61.157.120 and 2602:fa59:3:424::1.


Site owners are advised to ensure that their sites are running the latest version of the King Addons for Elementor plugin (51.1.35 or newer) to mitigate the vulnerability. Additionally, a thorough review of the site for any abnormal activity, such as new malicious admin accounts or suspicious requests, is recommended.


Sources


  • https://securityaffairs.com/185286/hacking/king-addons-flaw-lets-anyone-become-wordpress-admin.html

  • https://thehackernews.com/2025/12/wordpress-king-addons-flaw-under-active.html

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page