Critical privilege escalation flaw in King Addons for Elementor plugin enables takeover of WordPress Sites
Take action: If you're using King Addons for Elementor plugin, immediately update to version 51.1.35 or later. There is an actively exploited vulnerability to create rogue administrator accounts. After updating, review all user accounts on your WordPress site and remove any suspicious or unknown administrator accounts that shouldn't be there.
Learn More
A critical security vulnerability in the King Addons for Elementor WordPress plugin allows unauthenticated attackers to register administrator-level user accounts on affected WordPress installations.
The flaw is tracked as CVE-2025-8489 (CVSS score 9.8), is a privilege escalation vulnerability caused by improper privilege management in the plugin's registration function. It fails to restrict user roles during the signup process. The plugin's handle_register_ajax() function, which processes user registration requests accepts a user_role parameter directly from POST requests without authorization checks or validation. An attacker can send a crafted request to the WordPress admin-ajax.php endpoint and setting the user_role field to "administrator."
Administrator access enables attackers to take full control of the WordPress installation, install malicious code, modify content and potentially pivot to other systems within corporate networks.
Wordfence has reported blocking more than 48,400 exploitation attempts targeting this vulnerability, with some sources indicating the number has reached approximately 50,000 blocked requests. Security researchers have identified several IP addresses as significant sources of attacks, including 45.61.157.120, which accounts for over 28,900 blocked requests, and 2602:fa59:3:424::1, responsible for an additional 16,900 exploitation attempts. Multiple other IP addresses have been linked to hundreds of attempts each, which means this is a sustained and coordinated attack.
The plugin developer released a patched version, 51.1.35, on September 25, 2025.
Website administrators using King Addons for Elementor should update immediately to version 51.1.35 or later. Organizations should also conduct thorough audits of all user accounts to identify any unknown or suspicious administrator accounts that may have been created through exploitation of this vulnerability.
For sites where user registration is not a critical function, administrators should consider temporarily disabling registration features until the update can be applied.
