—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Privilege Escalation vulnerability in King Addons for Elementor plugin for WordPress 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

WordPress Plugin King Addons for Elementor versions 24.12.92 through 51.1.14

Overview

A vulnerability has been reported in King Addons for Elementor plugin for WordPress, which could allow an unauthenticated attacker to register with administrator-level privileges.

Target Audience:

Users and administrators of websites using the affected versions of the King Addons for Elementor WordPress plugin.

Risk Assessment:

High risk of complete website compromise.

Impact Assessment:

Potential for complete compromise of the affected WordPress website, including unauthorized administrator access, malicious modification of content or settings, data theft, and disruption of website services.

Description

King Addons for Elementor is a WordPress plugin that extends the Elementor page builder with additional widgets, design elements, and customization features.

The vulnerability exists due to insufficient validation and restriction in the plugins user registration handler, which may allow an attacker to assign administrator privileges during account creation when certain conditions are met.

Successful exploitation of this vulnerability could allow an attacker to unauthorized access to admin functions, enabling data manipulation, and privilege escalation.

Solution

Apply appropriate updates as mentioned:

https://www.wordfence.com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-king-addons-for-elementor-plugin/

Vendor Information

King Addons for Elementor

https://wordpress.org/plugins/king-addons/

References

WordFence

https://www.wordfence.com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-king-addons-for-elementor-plugin/

BleepingComputer

https://www.bleepingcomputer.com/news/security/critical-flaw-in-wordpress-add-on-for-elementor-exploited-in-attacks/

CVE Name

CVE-2025-8489

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmlCwDcACgkQ3jCgcSdc

ys/gbhAAoFXYF1vAz0g+NvRZCBax/GzSdRSLmw3rakgPi84GB9j9qSF08DOsV8GE

c5xxo23lAld1l+8h+QwAwvGzGajwxoyn2m9r/kC/I/MFHW04g9PtleWX5vqMnXGE

2v5uAgFsEr7W3RBuEspUi+B1PlGBCHE+04qK5K96XSCq5Gkr8uxxm/XaCfvlA57O

6LK+zo5cTsFaB6jTvh9pSI4bymaF71wkOKV8ana+mO9ni6c6ivOVymMMDQlO+sev

ot5OnXXg3YXqito7z2yZKezqZ3sNX/y9Hjm5FNDJfk+GDlBEkoy6RY4o7VF9Ircj

pZuJAGtfNYSz3Ia/N1nn71RQDDXaDOR92XHV1VgTzfJj/xPZycivCX3NFl69Cbiu

IBe1yP48TXLW/iff8cti6XZBbf5TlkRrb0Xf89AKdpnc+6B401mg4plEpih9+71F

M3P2AsM9YyNebDuRvZ75x2tOot2F2plh9tqz63cYHcOjGtmjstLCMwmYWETW1Vg6

7KmyAVLBo+RqeKVqmgh94RUIFZodYkJjS7ELUCGA+ov26Bf0aa1oL0jMKFoVWArH

VTr5FkSXYzh9iG+azhLuUANVYfa5jf04m0jepDiJBfW//lZ4ZmcDQIM3qoxagpha

ynQgg7Pw5wlzIalHYom8k1AxOM4IOFqom0Z4+LjsR79vXsxu+fA=

=RocT

—–END PGP SIGNATURE—–