A critical security vulnerability, tracked as CVE-2025-8489, has been discovered in the popular King Addons for Elementor WordPress plugin, affecting versions from 24.12.92 through 51.1.14. This vulnerability allows unauthenticated attackers to escalate privileges by registering administrator accounts without authorization, putting thousands of websites at risk of full compromise.
Vulnerability Breakdown
The flaw resides in the plugin’s user registration mechanism. An attacker can exploit improper privilege validation by sending crafted POST requests to the plugin’s AJAX endpoint with the user_role parameter set to administrator. Due to lack of adequate role verification, this enables attackers to create new admin accounts stealthily.
The implications are severe: with administrator access, threat actors can install malicious plugins, alter website content, steal sensitive data, and pivot for further network infiltration. The vulnerability has been classified with a high severity CVSS score of 9.8 and is identified as CWE-269 (Improper Privilege Management).
Impact and Exposure
King Addons for Elementor is a widely used enhancer plugin offering free elements, widgets, and templates for WordPress users. The plugin’s extensive user base—estimated at over 10,000 active sites—means exploitation attempts pose a significant threat to business continuity and data security. Active exploitation of this vulnerability has already been observed in the wild as of late 2025, underscoring the urgent need for remediation.
Mitigation Steps
- Immediate Update: Site administrators must update the King Addons for Elementor plugin to version 51.1.37 or later, which enforces proper role restrictions during user registration.
- Audit Registrations: Review recent user accounts created post-disclosure for any suspicious administrator additions.
- Restrict User Registration: Disable user registration if not necessary on your WordPress site.
- Security Monitoring: Implement monitoring to detect abnormal admin activity and privilege escalations.
Detecting Vulnerability in Your Environment
Use your vulnerability management solutions such as Qualys or Tenable to identify installations of affected King Addons plugin versions. Employ targeted searches using CPE filters (cpe:2.3:a:kingaddons:king_addons_for_elementor) and assign high priority remediation tasks to internet-facing WordPress assets.
As this vulnerability allows complete takeover of affected WordPress sites without any authentication, prompt action is critical to prevent exploitation. Ensure all WordPress plugin inventories are up to date, actively monitor vendor advisories, and maintain a strict update policy to uphold site security against such high-risk flaws.
