King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor 24.12.92 - 51.1.14 - Élévation de privilèges non authentifiée
Plateforme
wordpress
Composant
king-addons
Corrigé dans
51.1.15
51.1.35
CVE-2025-8489 is a critical privilege escalation vulnerability discovered in the King Addons for Elementor WordPress plugin. This flaw allows unauthenticated attackers to register user accounts with administrator privileges, granting them complete control over the affected WordPress site. The vulnerability impacts versions 24.12.92 through 51.1.14, and a patch is available in version 51.1.35.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-8489 can gain full administrative access to a WordPress website without needing any prior credentials. This allows them to modify content, install malicious plugins, steal sensitive data (user information, database contents, financial details), and potentially pivot to other systems on the network. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors, from script kiddies to sophisticated attackers. This vulnerability is particularly concerning given the plugin's popularity and widespread use.
Contexte d'Exploitationtraduction en cours…
This vulnerability was publicly disclosed on 2025-10-30. While no public exploits have been confirmed, the ease of exploitation and the plugin's popularity make it a likely target for malicious actors. Its criticality and ease of exploitation suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Qui Est à Risquetraduction en cours…
Websites using the King Addons for Elementor plugin, particularly those with weak security configurations or shared hosting environments, are at significant risk. Sites with outdated WordPress installations or those lacking regular security updates are also highly vulnerable. Any site relying on this plugin for critical functionality is exposed.
Étapes de Détectiontraduction en cours…
• wordpress / composer / npm:
wp plugin list | grep 'King Addons for Elementor'• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
grep -r 'register_user' /var/www/html/wp-content/plugins/king-addons-for-elementor/includes/class-ka-user-registration.php• wordpress / composer / npm:
wp plugin status | grep 'King Addons for Elementor'Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
44.30% (percentile 98%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Informations sur le paquet
- Installations actives
- 10KConnu
- Note du plugin
- 5.0
- Nécessite WordPress
- 6.0+
- Compatible jusqu'à
- 7.0
- Nécessite PHP
- 7.4+
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2025-8489 is to immediately upgrade the King Addons for Elementor plugin to version 51.1.35 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting user registration to prevent unauthorized account creation. Implement strong password policies and enable two-factor authentication for all administrator accounts. Regularly review user accounts and remove any suspicious or unauthorized entries. While a WAF may offer some protection, it is not a substitute for patching the vulnerable plugin.
Comment corriger
Mettre à jour vers la version 51.1.35, ou une version corrigée plus récente
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2025-8489 — Privilege Escalation in King Addons for Elementor?
CVE-2025-8489 is a critical vulnerability allowing unauthenticated attackers to create administrator accounts on WordPress sites using the King Addons for Elementor plugin, granting them full control.
Am I affected by CVE-2025-8489 in King Addons for Elementor?
You are affected if you are using King Addons for Elementor versions 24.12.92 through 51.1.14. Check your plugin version immediately.
How do I fix CVE-2025-8489 in King Addons for Elementor?
Upgrade the King Addons for Elementor plugin to version 51.1.35 or later to patch the vulnerability. If immediate upgrade is not possible, restrict user registration.
Is CVE-2025-8489 being actively exploited?
While no confirmed exploitation has been publicly reported, the ease of exploitation and plugin's popularity make it a likely target.
Where can I find the official King Addons for Elementor advisory for CVE-2025-8489?
Refer to the official King Addons for Elementor website and WordPress plugin repository for the latest security advisory and update information.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.