A critical security vulnerability in the widely-used WordPress plugin King Addons for Elementor is now actively being exploited by attackers. This privilege escalation flaw, designated as CVE-2025-8489, allows unauthenticated users to gain administrator privileges on affected websites, significantly compromising website security.
The vulnerability impacts King Addons for Elementor versions ranging from 24.12.92 up to 51.1.14. While a fix was released by plugin maintainers in version 51.1.35 on September 25, 2025, a significant number of websites may still be exposed. Security researcher Peter Thaleikis is credited with discovering and reporting the critical flaw, which affects a plugin with over 10,000 active installations.
King Addons Vulnerability Exposes WordPress Sites to Takeovers
The severe security risk stems from the plugin’s inability to properly restrict user roles during the registration process. According to Wordfence, a leading WordPress security firm, this oversight allows unauthenticated attackers to grant themselves administrator-level user accounts with ease. The issue lies within the “handle_register_ajax()” function, which is triggered when a new user registers on a WordPress site.
Wordfence detailed how an insecure implementation of this function enables attackers to bypass standard security checks. By crafting a specific HTTP request to the “/wp-admin/admin-ajax.php” endpoint, attackers can explicitly designate their user role as “administrator.” This effectively bypasses the need for authentication and grants them elevated privileges on the compromised website.
The exploitation of CVE-2025-8489 can lead to a complete takeover of a vulnerable WordPress site. Once an attacker gains administrative access, they can inject malicious code, deploy malware, redirect unsuspecting visitors to phishing or scam sites, or insert spam content without authorization. This presents a significant threat to both website integrity and user trust.
The exploitation of this vulnerability appears to have begun shortly after its public disclosure in late October 2025, with widespread attacks starting around November 9, 2025. Wordfence reported blocking over 48,400 exploit attempts in the period following the disclosure, with a notable 75 attempts being thwarted in the 24 hours preceding the report. These malicious activities have been traced back to several IP addresses, including 45.61.157.120, 182.8.226.228, 138.199.21.230, 206.238.221.25, and the IPv6 address 2602:fa59:3:424::1, indicating a coordinated effort.
Mitigating the King Addons Privilege Escalation Risk
Website administrators are strongly urged to take immediate action to secure their WordPress installations. The most critical step is to ensure that the King Addons for Elementor plugin is updated to the latest secure version, 51.1.35 or newer. This update addresses the underlying flaw that allowed for privilege escalation.
Beyond updating the plugin, administrators should conduct a thorough audit of their website’s user accounts. This audit should identify any newly created administrator accounts or any existing accounts with suspicious activity. Furthermore, continuous monitoring for signs of abnormal website behavior is crucial in detecting any potential breaches that may have occurred before the vulnerability was patched.
Looking ahead, the focus will be on the ongoing vigilance of website administrators in applying security updates promptly. The continued exploitation attempts highlight the persistent threat landscape for WordPress websites and the importance of proactive security measures. Users should remain aware of future security advisories related to plugins and themes to maintain robust website security.