Platform
wordpress
Component
king-addons
Fixed in
51.1.15
51.1.35
CVE-2025-8489 is a critical privilege escalation vulnerability discovered in the King Addons for Elementor WordPress plugin. This flaw allows unauthenticated attackers to register user accounts with administrator privileges, granting them complete control over the affected WordPress site. The vulnerability impacts versions 24.12.92 through 51.1.14, and a patch is available in version 51.1.35.
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-8489 can gain full administrative access to a WordPress website without needing any prior credentials. This allows them to modify content, install malicious plugins, steal sensitive data (user information, database contents, financial details), and potentially pivot to other systems on the network. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors, from script kiddies to sophisticated attackers. This vulnerability is particularly concerning given the plugin's popularity and widespread use.
This vulnerability was publicly disclosed on 2025-10-30. While no public exploits have been confirmed, the ease of exploitation and the plugin's popularity make it a likely target for malicious actors. Its criticality and ease of exploitation suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
44.30% (98% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-8489 is to immediately upgrade the King Addons for Elementor plugin to version 51.1.35 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting user registration to prevent unauthorized account creation. Implement strong password policies and enable two-factor authentication for all administrator accounts. Regularly review user accounts and remove any suspicious or unauthorized entries. While a WAF may offer some protection, it is not a substitute for patching the vulnerable plugin.
Update to version 51.1.35, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-8489 is a critical vulnerability allowing unauthenticated attackers to create administrator accounts on WordPress sites using the King Addons for Elementor plugin, granting them full control.
You are affected if you are using King Addons for Elementor versions 24.12.92 through 51.1.14. Check your plugin version immediately.
Upgrade the King Addons for Elementor plugin to version 51.1.35 or later to patch the vulnerability. If immediate upgrade is not possible, restrict user registration.
While no confirmed exploitation has been publicly reported, the ease of exploitation and plugin's popularity make it a likely target.
Refer to the official King Addons for Elementor website and WordPress plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.