Software, Synthetic News, Website

Critical Vulnerability in Elementor Add-on Plugin Poses Site Takeover Risk

Posted by author-avatar

In the world of WordPress development, Elementor is an extremely popular page builder plugin, trusted by millions of websites. However, this very popularity makes Elementor and its add-ons an attractive target for hackers.

Recently (late 2025), a critical security vulnerability emerged in an Elementor add-on plugin, specifically King Addons for Elementor. This flaw is not only high-severity but has also been actively exploited across a wide range of sites, threatening the security of thousands of websites.

Detailed Report on the Security Vulnerability

The vulnerability in question is a severe Privilege Escalation issue, tracked with the identifier CVE-2025-8489 (CVSS score: 9.8Critical severity).

Technical Details and Scope of Impact

  • Vulnerability Name: Privilege Escalation via Registration Endpoint.
  • CVE ID: CVE-2025-8489 (Reportedly related to CVE-2025-6325).
  • Affected Plugin: King Addons for Elementor (Used on over 10,000 active installations).
  • Vulnerable Versions: From 24.12.92 up to and including 51.1.14.
  • Patch: The flaw was fixed in version 51.1.35 (released on September 25, 2025).
  • Exploitation Mechanism: The vulnerability stems from the plugin’s failure to properly restrict the user role that a user can register with via the “King Addons Login | Register Form” widget.

Unauthenticated attackers can leverage this to register a new account and assign themselves the Administrator role by specifying this role during the registration process.

Furthermore, reports also mention another critical flaw in the same plugin: Unauthenticated Arbitrary File UploadCVE-2025-6327, which allows attackers to upload arbitrary files to a web-accessible directory. Though the mechanism differs, the potential consequence is also full site compromise.

Consequences and Exploitation Status

  • Complete Site Takeover: By gaining administrative privileges, hackers can achieve a full site takeover.
  • Malware Upload: Attackers can upload malicious code, plugins, or backdoors.
  • Site Redirection: Redirecting visitors to phishing or malicious websites.
  • Injection of Malicious Content: Injecting spam, crypto-mining malware, or unwanted content.

Security firms like Wordfence and Patchstack have reported mass exploitation attempts of this vulnerability currently underway. Wordfence blocked tens of thousands of exploitation attempts within weeks of the flaw being made public. This highlights the severity and speed with which threat actors are targeting unpatched websites.

Expert Assessment and Opinions

Security experts universally emphasize that the flaw in King Addons for Elementor is a classic example of Broken Access Control – one of the top security risks in web applications.

Perspective on Access Control Flaws

Researchers at Wordfence explained that the core issue lies in the plugin “failing to properly restrict the roles a user can register for.” This is a fundamental logical error that carries the most severe consequences for security.

“This flaw allows an unauthenticated attacker to register an administrator-level user account. Such easy attainment of administrative privileges is the fastest path to complete site compromise,” stated a security expert from Defiant (Wordfence’s parent company).

The Challenge of Add-on Plugins

Patchstack (a vulnerability intelligence platform) regularly warns that the WordPress add-on ecosystem, including Elementor add-ons, is a major risk frontier. Many third-party plugins, despite having thousands of installations, may not adhere to the best secure coding practices for WordPress, particularly concerning capability checks and nonce validation for AJAX actions.

Expert opinion suggests that flaws such as:

  1. Missing Nonce and Capability Checks: Allowing unauthenticated users to execute sensitive functions.
  2. Lack of Sanitization/Validation: Leading to vulnerabilities like arbitrary file uploads or XSS (Cross-Site Scripting).

are common in lower-quality plugins.

Expert Advice and Recommendations

Security experts unanimously offer the following recommendations to protect websites:

  1. Update Immediately: This is the most crucial preventive measure. Administrators must ensure King Addons for Elementor is updated to version 51.1.35 or newer as soon as possible.
  2. Check and Monitor:
    • User Audit: Review the list of administrator users for any suspicious or newly created accounts. If found, delete them immediately.
    • Monitor for Anomalous Activity: Track logs for suspicious registration attempts or unknown administrative activities.
  3. Limit Plugin Usage: Web developers should re-evaluate the third-party plugins they use.
    • The Principle of Least Functionality: Only install plugins that are truly necessary.
    • Developer Reputation: Prioritize plugins from developers with a good reputation and history of timely security updates.
  4. Use a Web Application Firewall (WAF): Implementing a WAF (such as services provided by Cloudflare, Wordfence, etc.) can help block known exploitation attempts through continuously updated security rules.

Elementor and Periodic Security Risks

The King Addons vulnerability is not the first security incident involving Elementor or its related plugins. History has recorded several key events:

  • Early 2023: A Broken Access Control vulnerability in Elementor Pro (versions $\le 3.11.6$). This flaw allowed authenticated users (like WooCommerce Customers) to change site options, including enabling registration and setting the default administrator role, potentially leading to site takeover.
  • 2022: A critical vulnerability in Elementor (versions 3.6.0 – 3.6.2) allowed low-privilege users to upload and activate malicious ZIP files (masquerading as Elementor Pro), leading to Remote Code Execution (RCE).

These events reinforce the view that, while Elementor is a powerful tool, users must maintain a high security awareness and update frequently both the core plugin and its extensions. The increase in complexity and the number of plugins has significantly expanded a WordPress site’s attack surface.

What to do when website has King Addons installed

The Privilege Escalation vulnerability (CVE-2025-8489) in King Addons for Elementor represents an acute and critical risk to websites using the vulnerable versions. Active global exploitation is underway, making every unpatched site a potential target.

Immediate action is mandatory: Administrators must prioritize updating the King Addons plugin to version 51.1.35 or higher and conduct a security check post-update.

author-avatar

About Admin IdoTsc

Admin IdoTsc of the website of IDO Technology Solutions Co., Ltd. Research on website design, online marketing. Always listening, thinking to understanding.

Related Posts