A critical security flaw in the popular “King Addons for Elementor” WordPress plugin has left thousands of websites at risk of complete takeover, security researchers have warned.
The vulnerability, tracked as CVE-2025-8489, allows unauthenticated attackers to register new accounts with full administrator rights by abusing an insecure registration function in the plugin.
King Addons for Elementor has more than 10,000 active installations, making this a serious threat to many site owners. The issue affects plugin versions 24.12.92 through 51.1.14.
Elementor Plugin Vulnerability
In these versions, the plugin’s registration code fails to restrict which user roles can be assigned during signup properly.
An attacker can send a crafted request to the WordPress admin-ajax.php endpoint and set the “user_role” field to “administrator”.
This lets them create a new admin-level account without logging in or proving prior access. Once an attacker gains administrator privileges, they can fully control the site.
| Attribute | Details |
|---|---|
| Vulnerability Name | King Addons for Elementor – Unauthenticated Privilege Escalation |
| CVE ID | CVE-2025-8489 |
| CVSS Rating | 9.8 (Critical) |
| Vulnerability Type | Unauthenticated Privilege Escalation |
| Affected Plugin | King Addons for Elementor |
This includes installing malicious plugins or themes with backdoors, as well as modifying posts and pages. Redirecting visitors to malicious websites or injecting spam and phishing content.
In short, this vulnerability can lead to a complete site compromise. The flaw is rated 9.8 (Critical) under the CVSS scoring system. The plugin developer released a patched version, 51.1.35, on September 25th, 2025.
Security firm Wordfence added a firewall rule to block attacks for its Premium, Care, and Response customers on August 4th, 2025.
And rolled out the same protection to free users on September 3rd, 2025. However, attackers began actively exploiting the bug shortly after public disclosure on October 30th, 2025
According to Wordfence, its firewall has already blocked more than 48,400 exploit attempts targeting this vulnerability. Attack traffic spiked especially on November 9th and 10th.
Several IP addresses have been identified as significant sources of attacks, including 45.61.157.120 and 2602: fa59:3:424::1.
| IP Address | Blocked Requests |
|---|---|
| 45.61.157.120 | 28,900+ |
| 2602:fa59:3:424::1 | 16,900+ |
| 182.8.226.228 | 300+ |
| 138.199.21.230 | 100+ |
| 206.238.221.25 | 100+ |
Each is responsible for tens of thousands of blocked requests. Website owners using King Addons for Elementor are strongly urged to do the following.
Update immediately to version 51.1.35 or later. Check for any unknown or suspicious administrator accounts.
Review server and access logs for requests from known attacking IPs. Monitor for unusual changes to content, plugins, or themes.
Those who suspect their site may be compromised should seek professional incident response and cleanup services as soon as possible.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
