Pierluigi Paganini
December 03, 2025
Hackers are exploiting a critical vulnerability, tracked as CVE-2025-8489 (CVSS score of 9.8), in the WordPress plugin King Addons for Elementor that allows unauthenticated users to create admin accounts via a registration privilege bug.
King Addons for Elementor is a third-party WordPress plugin designed to extend the features of the popular Elementor page builder. It provides users with extra widgets, templates, visual effects, and design tools that Elementor doesn’t include by default. Site owners use it to build more dynamic, visually rich pages without needing custom code. The plugin is installed on over 10,000 websites.
The flaw is a privilege escalation in versions 24.12.92 to 51.1.14. The vulnerability is due to the plugin not properly restricting the roles that users can register with. An unauthenticated attacker can exploit the issue to register with administrator-level user accounts.
Security researcher Peter Thaleikis reported the vulnerability.
Wordfence researchers warn that threat actors are actively exploiting the vulnerability.
“The vendor released the patched version on September 25th, 2025, and we originally disclosed this vulnerability in the Wordfence Intelligence vulnerability database on October 30th, 2025. Our records indicate that attackers started exploiting the issue the next day, on October 31st, 2025.” reads the report published by Wordfence. “The Wordfence Firewall has already blocked over 48,400 exploit attempts targeting this vulnerability.”
The vulnerability in King Addons for Elementor lies in the “handle_register_ajax()” function. Attackers can send a crafted request to “/wp-admin/admin-ajax.php” specifying the “administrator” role, granting themselves full admin privileges. Exploiting this flaw lets them take control of the site, upload malicious code, distribute malware, redirect visitors to malicious sites, or inject spam.
“As with any Privilege Escalation vulnerability, this vulnerability can be used for a complete site compromise. Once an attacker has gained administrative user access to a WordPress site, they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors. Additionally, they could modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.”
Since the King Addons for Elementor vulnerability was disclosed, Wordfence has blocked over 48,400 exploit attempts. Exploitations attempts began on October 31, and the researchers observed spikes on November 9–10. Top attacking IPs include 45.61.157.120 (≈28,900 blocks) and 2602:fa59:3:424::1 (≈16,900 blocks). Indicators of compromise include new malicious admin accounts and suspicious requests from these IPs. A thorough review is recommended if abnormal activity appears, even if no logs show attacks.
“Our threat intelligence indicates that attackers may have started actively targeting this vulnerability as early as October 31st, 2025 with mass exploitation starting on November 9th, 2025. The Wordfence firewall has already blocked over 48,400 exploit attempts targeting this vulnerability.” concludes the report. “Even if you have already received a firewall rule for this issue we urge you to ensure that your site is updated to at least version 51.1.35 in order to maintain normal functionality.“
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, WordPress)
Laws and regulations / December 03, 2025
