A critical security flaw affecting a WordPress plugin known as King Addons for Elementor is being exploited in the wild.
This vulnerability, CVE-2025-8489 (CVSS score: 9.8), is a privilege escalation case that allows an unauthenticated attacker to grant themselves administrative privileges by simply specifying the administrator user role during registration.
Affected versions are 24.12.92 through 51.1.14. This vulnerability was patched by the maintainer in version 51.1.35, released on September 25, 2025. Security researcher Peter Thaleikis is credited with discovering and reporting this flaw. This plugin has over 10,000 active installations.
“This is due to the plugin not properly restricting the roles that users can register for,” Wordfence said in the warning. “This allows an unauthenticated attacker to register an administrator-level user account.”
Specifically, the cause of this issue lies in the “handle_register_ajax()” function that is called during user registration. However, an insecure implementation of this feature could allow an unauthenticated attacker to specify his role as “Administrator” in a crafted HTTP request to the “/wp-admin/admin-ajax.php” endpoint and gain elevated privileges.
Successful exploitation of this vulnerability could allow a malicious attacker to seize control of a susceptible site that has the plugin installed and weaponize access to upload malicious code to distribute malware, redirect site visitors to a dangerous site, or inject spam.
Wordfence says it has thwarted more than 48,400 exploitation attempts since the flaw was made public in late October 2025, with 75 attempts thwarted in the past 24 hours alone. The attack originated from the following IP address –
45.61.157.120 182.8.226.228 138.199.21.230 206.238.221.25 2602:fa59:3:424::1
“Attackers may have begun actively targeting this vulnerability as early as October 31, 2025, with large-scale exploitation beginning on November 9, 2025,” the WordPress security firm said.
Site administrators are encouraged to ensure they are running the latest versions of plugins, audit their environments for suspicious admin users, and monitor for signs of unusual activity.
Source link
