Attackers exploit a critical privilege escalation flaw in the King Addons for Elementor WordPress plugin, allowing unauthenticated users to create administrator accounts and seize control of sites.
This vulnerability, tracked as CVE-2025-8489 with a CVSS score of 9.8, affects over 10,000 installations and has been targeted by active attacks since late October 2025.
The King Addons for Elementor plugin enables enhanced Elementor features like widgets and templates.
Versions from 24.12.92 to 51.1.14 contain the flaw in the registration process.
Security firm Wordfence received the report on July 24, 2025, from researcher Peter Thaleikis; the vendor patched it in version 51.1.35 on September 25, 2025, with public disclosure following on October 30.
The issue stems from insecure handling in the handle_register_ajax() function within the Login_Register_Form_Ajax class.
Code accepts a user_role from $_POST, defaults to ‘subscriber’, but assigns any non-empty value like ‘administrator’ to new users via wp_insert_user() without validation.
Attackers send POST requests to /wp-admin/admin-ajax.php with parameters such as action=king_addons_user_register&user_role=administrator&username=…&email=…&password=…, bypassing restrictions.
| Detail | Information |
|---|---|
| CVE ID | CVE-2025-8489 |
| CVSS Score | 9.8 (Critical) |
| Affected Versions | 24.12.92 – 51.1.14 |
| Fixed Version | 51.1.35+ (latest 51.1.38) |
| Active Installs | 10,000+ |
Admin access enables full compromise, including malicious plugin uploads, content injection, or redirects.
Exploits surged on October 31, 2025, post-disclosure, peaking November 9-10. Wordfence blocked over 48,400 attempts; recent tallies show 75 in the last day.
Top offending IPs include 45.61.157.120 (28,900 blocks) and 2602:fa59:3:424::1 (16,900 blocks).
| IP Address | Blocked Requests |
|---|---|
| 45.61.157.120 | ~28,900 |
| 2602:fa59:3:424::1 | ~16,900 |
| 182.8.226.228 | ~300 |
| 138.199.21.230 | ~100 |
| 206.238.221.25 | ~100 |
Signs of compromise feature new suspicious admin accounts or matching log entries.
Update to 51.1.38 immediately; Wordfence Premium users gained rules on August 4, 2025, and the free tier on September 3. Scan logs and review users for safety.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…