Critical vulnerabilities reported in WordPress King Addons for Elementor plugin

Security researchers at Patchstack are reporting two critical unauthenticated vulnerabilities in the King Addons for Elementor plugin that expose websites to potential remote code execution and complete site takeover. 

King Addons for Elementor is a popular WordPress plugin designed as a feature-rich extension for the Elementor page builder. The plugin is commonly deployed to build contact forms, file upload forms, pricing tables, sliders, team sections, countdown timers, social login functionality, and registration forms. 

Vulnerabilities summary:

• CVE-2025-6327 (CVSS score 10.0): Unauthenticated Arbitrary File Upload vulnerability that allows attackers to upload malicious files to web-accessible directories on the WordPress server, potentially leading to remote code execution (RCE). This vulnerability is caused by an AJAX handler registered in /includes/widgets/Form_Builder/helpers/Upload_Email_File.php that exposes a security nonce to every visitor. While the handler attempts nonce verification, the nonce is publicly accessible via wp_localize_script, allowing any unauthenticated attacker to retrieve it and successfully perform upload requests. Additionally, the file_validity() method incorrectly returns a non-empty string instead of false for invalid file types, breaking the intended validation logic. Combined with the ability to manipulate the allowed_file_types parameter, this enables attackers to upload arbitrary file types to the wp-content/uploads/king-addons/forms/ directory, ultimately achieving remote code execution on compromised servers.
• CVE-2025-6325 (CVSS score 9.8): Unauthenticated Privilege Escalation via Registration Endpoint that allows attackers to register new WordPress accounts with arbitrary roles, including administrator privileges. Located in includes/widgets/Login_Register_Form/Login_Register_Form_Ajax.php, the plugin's registration handler accepts client-supplied role values through the user_role parameter. An attacker can exploit this by posting action=king_addons_user_register&user_role=administrator to create a new administrator account without any authentication. This vulnerability requires only that site registration is enabled and the King Addons Login/Register Form widget is active on at least one page.

The vendor, King Addons, patched these vulnerabilities in two patch releases. Version 51.1.36, released on October 19, 2025, fixed the privilege escalation flaw. Version 51.1.37, also released on October 19, 2025, fixes the file upload vulnerability.

Site administrators running King Addons for Elementor should immediately check whether they have the Login/Register Form widget active on any pages and update to version 51.1.37 or later.