Critical Vulnerability in King Addons for Elementor Plugin Allows Full WordPress Site Takeover
A significant security flaw has been identified in the King Addons for Elementor WordPress plugin, which is actively installed on over 10,000 websites globally. This vulnerability permits unauthenticated attackers to gain full administrative control over affected WordPress sites by merely registering a new account with administrator privileges.
Discovery and Disclosure Timeline
The vulnerability was initially reported on July 24, 2025. Wordfence security analysts disclosed the issue through their Wordfence Intelligence database on October 30, 2025. In response, the plugin’s vendor released a patched version on September 25, 2025, addressing the underlying security flaw. Despite the availability of this patch, attackers began exploiting the vulnerability on October 31, 2025, just one day after public disclosure. To date, the Wordfence Firewall has blocked over 48,400 exploit attempts targeting vulnerable websites.
Technical Details of the Vulnerability
The core of this vulnerability lies in the plugin’s user registration function, specifically within the `handle_register_ajax()` function. The plugin fails to properly validate and restrict user roles during account creation. When a user registers through the plugin’s login form, the code accepts a `user_role` parameter from the POST request without adequate validation. An attacker can send a specially crafted registration request specifying ‘administrator’ as their intended role, and the plugin accepts this without question.
The vulnerable code snippet processes the `user_role` field as follows:
“`php
$user_role = isset($_POST[‘user_role’]) ? sanitize_text_field($_POST[‘user_role’]) : ”;
if (!empty($user_role) && $user_role !== ‘subscriber’) {
$user_data[‘role’] = $user_role;
}
$user_id = wp_insert_user($user_data);
“`
An attacker would send a POST request to the plugin’s AJAX handler with parameters like:
“`
POST /wp-admin/admin-ajax.php HTTP/1.1
action=king_addons_user_register&user_role=administrator&username=attacker_name&[email protected]
“`
This request bypasses all authentication checks and creates a fully functional administrator account that the attacker can use to access WordPress.
Potential Impact
Once attackers gain administrative access, they can:
– Upload malicious files
– Modify website content
– Inject spam
– Install backdoors to maintain persistent access
This level of control poses a critical risk to any WordPress site running vulnerable versions of the plugin.
Mitigation Measures
Website administrators are strongly advised to update their King Addons for Elementor plugin to version 51.1.35 immediately to secure their installations against ongoing attacks.
Summary of the Vulnerability
– CVE ID: CVE-2025-8489
– CVSS Score: 9.8 (Critical)
– Affected Versions: 24.12.92 – 51.1.14
– Patched Version: 51.1.35
– Vulnerability Type: Unauthenticated Privilege Escalation
– Affected Plugin: King Addons for Elementor
– Installations: 10,000+
– Researcher: Peter Thaleikis
– Security Bounty: $1,073.00
– Exploitation Status: Active
– Blocks Since Disclosure: 48,400+ attempts
Conclusion
This vulnerability underscores the importance of regular plugin updates and vigilant security practices for WordPress site administrators. Ensuring that all plugins are up-to-date and monitoring for unusual activity can help mitigate the risk of such exploits.
