Platform
wordpress
Component
king-addons
Opgelost in
51.1.15
51.1.35
CVE-2025-8489 is a critical privilege escalation vulnerability discovered in the King Addons for Elementor WordPress plugin. This flaw allows unauthenticated attackers to register user accounts with administrator privileges, granting them complete control over the affected WordPress site. The vulnerability impacts versions 24.12.92 through 51.1.14, and a patch is available in version 51.1.35.
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-8489 can gain full administrative access to a WordPress website without needing any prior credentials. This allows them to modify content, install malicious plugins, steal sensitive data (user information, database contents, financial details), and potentially pivot to other systems on the network. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors, from script kiddies to sophisticated attackers. This vulnerability is particularly concerning given the plugin's popularity and widespread use.
This vulnerability was publicly disclosed on 2025-10-30. While no public exploits have been confirmed, the ease of exploitation and the plugin's popularity make it a likely target for malicious actors. Its criticality and ease of exploitation suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Websites using the King Addons for Elementor plugin, particularly those with weak security configurations or shared hosting environments, are at significant risk. Sites with outdated WordPress installations or those lacking regular security updates are also highly vulnerable. Any site relying on this plugin for critical functionality is exposed.
• wordpress / composer / npm:
wp plugin list | grep 'King Addons for Elementor'• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
grep -r 'register_user' /var/www/html/wp-content/plugins/king-addons-for-elementor/includes/class-ka-user-registration.php• wordpress / composer / npm:
wp plugin status | grep 'King Addons for Elementor'disclosure
Exploit Status
EPSS
44.30% (98% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-8489 is to immediately upgrade the King Addons for Elementor plugin to version 51.1.35 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting user registration to prevent unauthorized account creation. Implement strong password policies and enable two-factor authentication for all administrator accounts. Regularly review user accounts and remove any suspicious or unauthorized entries. While a WAF may offer some protection, it is not a substitute for patching the vulnerable plugin.
Update naar versie 51.1.35, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-8489 is a critical vulnerability allowing unauthenticated attackers to create administrator accounts on WordPress sites using the King Addons for Elementor plugin, granting them full control.
You are affected if you are using King Addons for Elementor versions 24.12.92 through 51.1.14. Check your plugin version immediately.
Upgrade the King Addons for Elementor plugin to version 51.1.35 or later to patch the vulnerability. If immediate upgrade is not possible, restrict user registration.
While no confirmed exploitation has been publicly reported, the ease of exploitation and plugin's popularity make it a likely target.
Refer to the official King Addons for Elementor website and WordPress plugin repository for the latest security advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.