Critical Vulnerability in King Addons for Elementor Plugin Threatens Thousands of WordPress Sites
A significant security flaw has been identified in the King Addons for Elementor WordPress plugin, potentially compromising over 10,000 active installations worldwide. This vulnerability, designated as CVE-2025-8489, enables unauthenticated attackers to gain full administrative control over affected websites by exploiting an insecure registration function within the plugin.
Understanding the Vulnerability
The core issue lies in the plugin’s user registration process, which inadequately restricts the assignment of user roles during account creation. Specifically, the function `handle_register_ajax()` processes user input without sufficient validation, allowing attackers to specify any role, including ‘administrator’, during registration.
The problematic code snippet is as follows:
“`php
$user_role = isset($_POST[‘user_role’]) ? sanitize_text_field($_POST[‘user_role’]) : ”;
if (!empty($user_role) && $user_role !== ‘subscriber’) {
$user_data[‘role’] = $user_role;
}
$user_id = wp_insert_user($user_data);
“`
In this code, the `user_role` parameter from the POST request is accepted without adequate validation. An attacker can exploit this by sending a crafted request to the WordPress `admin-ajax.php` endpoint, setting the `user_role` field to ‘administrator’. This action results in the creation of a new administrator account without any authentication checks.
Potential Impact
Once administrative access is obtained, attackers can:
– Install malicious plugins or themes containing backdoors.
– Modify or delete website content.
– Inject spam or phishing content.
– Redirect visitors to malicious websites.
Essentially, this vulnerability can lead to a complete site takeover, posing severe risks to website integrity and user trust.
Timeline of Events
– July 24, 2025: The vulnerability was initially reported.
– September 25, 2025: The plugin developer released a patched version, 51.1.35, addressing the security flaw.
– October 30, 2025: Wordfence disclosed the vulnerability through their Wordfence Intelligence database.
– October 31, 2025: Attackers began actively exploiting the vulnerability.
Exploitation and Defense
Security firm Wordfence reported that its firewall has blocked over 48,400 exploit attempts targeting this vulnerability. Notably, attack traffic spiked on November 9 and 10, 2025. Several IP addresses have been identified as significant sources of these attacks, including:
– 45.61.157.120
– 2602:fa59:3:424::1
– 182.8.226.228
– 138.199.21.230
– 206.238.221.25
Recommendations for Website Administrators
To mitigate the risk associated with this vulnerability, website administrators using the King Addons for Elementor plugin should:
1. Update the Plugin: Immediately upgrade to version 51.1.35 or later, which contains the necessary security patches.
2. Audit User Accounts: Review all administrator accounts to identify and remove any unauthorized users.
3. Monitor Logs: Examine server and access logs for requests from the identified malicious IP addresses.
4. Inspect Website Content: Check for any unauthorized changes to content, plugins, or themes.
5. Enhance Security Measures: Implement additional security measures such as two-factor authentication and regular security audits.
If a website is suspected to be compromised, it is crucial to seek professional incident response services promptly to mitigate potential damage.
Conclusion
The discovery of this critical vulnerability in the King Addons for Elementor plugin underscores the importance of regular software updates and vigilant security practices. Website administrators must act swiftly to protect their sites from potential exploitation and maintain the trust of their users.
