Critical Flaw in WordPress Add-on for Elementor Exploited in Attacks

Recent reports have surfaced regarding the exploitation of a critical-severity privilege escalation vulnerability (CVE-2025–8489) in the King Addons for Elementor plugin for WordPress. This vulnerability allows attackers to gain administrative permissions during the registration process.

The malicious activity commenced on October 31, just a day after the vulnerability was publicly disclosed. Notably, the Wordfence security scanner from Defiant has already thwarted over 48,400 exploit attempts.

King Addons, a third-party add-on for Elementor, a popular visual page builder plugin for WordPress, is utilized on approximately 10,000 websites, offering additional widgets, templates, and features.

The vulnerability, CVE-2025–8489, was unearthed by researcher Peter Thaleikis. It lies within the plugin’s registration handler, allowing individuals signing up to specify their user role on the website, including the administrator role, without any restrictions.

According to findings from Wordfence, attackers send a crafted ‘admin-ajax.php’ request with ‘user_role=administrator’ to create rogue admin accounts on targeted sites.

Research indicates a peak in exploitation activity between November 9 and 10, with two IP addresses, 45.61.157.120 and 2602:fa59:3:424::1, being particularly active.

Wordfence recommends website administrators to check log files for offensive IP addresses and monitor the creation of new administrator accounts as indicators of compromise.

It is advised that website owners upgrade to version 51.1.35 of King Addons, released on September 25, to mitigate CVE-2025–8489.

Furthermore, Wordfence researchers caution about another critical vulnerability in the Advanced Custom Fields: Extended plugin, active on over 100,000 WordPress websites. This flaw can be exploited by an unauthenticated attacker to remotely execute code.

The vulnerability, tracked as CVE-2025-13486, affects versions 0.9.0.5 through 0.9.1.1 of the plugin and was responsibly reported by Marcin Dudek, the head of the national computer emergency response team (CERT) in Poland.

Wordfence explains that the vulnerability arises from the plugin accepting user input and passing it through call_user_func_array(), enabling unauthenticated attackers to execute arbitrary code on the server.

The security issue was disclosed on November 18, and the plugin vendor swiftly addressed it in version 0.9.2 of Advanced Custom Fields: Extended, released promptly.

As the flaw can be exploited without authentication through a crafted request, it is crucial for website owners to update to the latest version promptly or disable the plugin on their sites.

Broken IAM isn’t just an IT problem – the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.

Get the guide