Critical Elementor Plugin Vulnerability Let Attackers Takeover WordPress Site Admin Control
A serious vulnerability has been discovered in the King Addons for Elementor WordPress plugin, affecting more than 10,000 active installations worldwide.
The flaw allows unauthenticated attackers to gain full administrative control over WordPress websites by simply registering a new account with administrator privileges.
The vulnerability was first reported on July 24th, 2025, and has now become the target of active exploitation campaigns.
Wordfence security analysts identified the vulnerability and disclosed it through their Wordfence Intelligence database on October 30th, 2025.
The vendor released a patched version on September 25th, 2025, addressing the underlying security flaw.
However, attackers began exploiting this vulnerability the very next day after public disclosure, on October 31st, 2025. The Wordfence Firewall has already blocked over 48,400 exploit attempts targeting affected websites.
Wordfence security researchers noted that this privilege escalation vulnerability poses a critical risk to any WordPress site running vulnerable versions of the plugin.
Once attackers gain administrative access, they can upload malicious files, modify website content, inject spam, or install backdoors that maintain persistent access to the compromised site.
The vulnerability stems from improper role restriction in the plugin’s user registration function.
Attackers exploit a weakness in how the plugin handles the registration process through the handle_register_ajax() function.
Technical Breakdown of the Attack Mechanism
The vulnerability lies in the plugin’s registration code, which fails to properly validate and restrict user roles during account creation.
When a user registers through the plugin’s login form, the code accepts a user_role parameter from the POST request without adequate validation.
An attacker can send a specially crafted registration request specifying ‘administrator’ as their intended role, and the plugin accepts this without question.
The vulnerable code snippet shows how the plugin processes the user_role field:-
$user_role = isset($_POST['user_role']) ? sanitize_text_field($_POST['user_role']) : ''; if (!empty($user_role) && $user_role !== 'subscriber') { $user_data['role'] = $user_role; } $user_id = wp_insert_user($user_data);An attacker would send a POST request to the plugin’s AJAX handler with parameters like:-
POST/wp-admin/admin-ajax.php HTTP/1.1 action=king_addons_user_register&user_role=administrator&username=attacker_name&[email protected]This request bypasses all authentication checks and creates a fully functional administrator account that the attacker can use to access WordPress.
Once inside, attackers have complete control to modify the website’s configuration, upload malicious plugins or themes, or inject harmful code into pages and posts.
Aspect Details CVE ID CVE-2025-8489 CVSS Score 9.8 (Critical) Affected Versions 24.12.92 – 51.1.14 Patched Version 51.1.35 Vulnerability Type Unauthenticated Privilege Escalation Affected Plugin King Addons for Elementor Installations 10,000+ Researcher Peter Thaleikis Security Bounty $1,073.00 Exploitation Status Active Blocks Since Disclosure 48,400+ attempts Website administrators should update their King Addons for Elementor plugin to version 51.1.35 immediately to secure their installations against ongoing attacks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Critical Elementor Plugin Vulnerability Let Attackers Takeover WordPress Site Admin Control appeared first on Cyber Security News.
>>More