Full Report
A critical security flaw impacting a WordPress plugin known as King Addons for Elementor has come under active exploitation in the wild. The vulnerability, CVE-2025-8489 (CVSS score: 9.8), is a case of privilege escalation that allows unauthenticated attackers to grant themselves administrative privileges by simply specifying the administrator user role during registration. It affects versions
Analysis Summary
# Vulnerability: Unauthenticated Privilege Escalation in King Addons for Elementor
## CVE Details
- CVE ID: CVE-2025-8489
- CVSS Score: 9.8 (Critical)
- CWE: Insufficient Authorization/Access Control (Inferred from exploitation details)
## Affected Systems
- Products: King Addons for Elementor (WordPress Plugin)
- Versions: 24.12.92 through 51.1.14
- Configurations: Any environment running the affected versions, leveraged via unauthenticated access to the registration mechanism.
## Vulnerability Description
The vulnerability is a privilege escalation flaw stemming from the plugin's failure to restrict the user roles assignable during registration. Specifically, the `handle_register_ajax()` function within the plugin fails to properly validate user roles. This allows an unauthenticated attacker to send a specially crafted HTTP request to the `/wp-admin/admin-ajax.php` endpoint and specify the user role as "administrator," thereby creating an administrative account without prior authentication.
## Exploitation
- Status: Exploited in the wild (Active exploitation confirmed since late October/early November 2025)
- Complexity: Low (Unauthenticated network exploit)
- Attack Vector: Network
## Impact
- Confidentiality: High (Allows full administrative access to sensitive data)
- Integrity: High (Allows attackers to modify site content, code, and configuration)
- Availability: High (Can lead to site defacement, malware delivery, or complete site compromise/takeover)
## Remediation
### Patches
- Upgrade to **King Addons for Elementor version 51.1.35** or later (Patch released September 25, 2025).
### Workarounds
- Disable or remove the King Addons for Elementor plugin temporarily if immediate patching is not possible.
- If possible, restrict access to the `/wp-admin/admin-ajax.php` endpoint or implement strong Web Application Firewall (WAF) rules to block suspicious registration attempts targeting role assignment.
## Detection
- **Indicators of compromise:** Look for newly created user accounts with administrator privileges that were not created by known administrators.
- **Detection methods and tools:** Monitor WAF/security logs for POST requests to `/wp-admin/admin-ajax.php` that contain parameters attempting to set the user role (`user_role`) to 'administrator' from an unauthenticated source.
- Observed Exploiting IPs: 45.61.157.120, 182.8.226.228, 138.199.21.230, 206.238.221.25, 2602:fa59:3:424::1.
## References
- Vendor Advisory/Details (Look for Wordfence/King Addons advisories utilizing CVE-2025-8489)
- CVE Record: hxxps://www-cve-org/CVERecord?id=CVE-2025-8489
- Security Alert: hxxps://www-wordfence-com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-king-addons-for-elementor-plugin/