Nyambush
CVSS 9.8Critical

CVE-2025-8489: King Addons for Elementor Unauthenticated Privilege Escalation

Overview

  • CVE: CVE-2025-8489
  • Plugin: King Addons for Elementor
  • Affected Versions: 24.12.92 through 51.1.14
  • Patched Version: 51.1.35
  • CVSS: 9.8 (Critical)
  • Authentication: None required (unauthenticated attack)
  • Type: Privilege Escalation (Arbitrary Role Assignment on User Registration)
  • Active Installs: ~10,000
  • Exploitation Status: Confirmed. Mass exploitation began November 9, 2025. Wordfence blocked over 48,400 attempts. A Metasploit module (PR #20746) was also published.

A critical vulnerability in King Addons for Elementor allows any unauthenticated attacker to create a WordPress administrator account by including a single extra parameter in a registration request. The exploit requires no credentials, no prior access, and no specialized tooling — just appending role=administrator to a standard registration form submission. With a Metasploit module publicly available and confirmed mass exploitation ongoing through December 2025, this vulnerability represents exactly the class of threat that causes real-world site compromises at scale.

What Happened

King Addons for Elementor is a feature-extension plugin for the Elementor page builder, providing additional widgets, templates, and form capabilities including front-end user registration forms. The vulnerability resided in the user registration handler that processed these form submissions to create new WordPress accounts.

When the plugin received a registration request, it extracted form field values from the POST body and passed them directly to WordPress's wp_insert_user() function. Critically, the role parameter was included in this data without any server-side validation or sanitization against an allowlist.

WordPress core's wp_insert_user() function trusts the role value it receives. In a secure implementation, the calling code is responsible for ensuring that value is restricted to safe options. King Addons performed no such restriction. The function received whatever the client sent, including administrator, and created the account accordingly.

The correct behavior would be for the registration handler to either hardcode the role to a safe default such as subscriber, or validate the submitted role against an explicit allowlist of permissible values. Neither check existed prior to version 51.1.35.

How the Attack Works

The attack completes in a single HTTP request. An attacker identifies any page on the target site hosting a King Addons front-end registration form and submits the following payload:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target-site.com
Content-Type: application/x-www-form-urlencoded

action=king_register_user&user_login=attacker&user_email=attacker%40evil.com&user_pass=P%40ssw0rd123&role=administrator

Alternatively, the request can be directed at the registration page endpoint directly:

POST /register/ HTTP/1.1
Host: target-site.com
Content-Type: application/x-www-form-urlencoded

user_login=attacker&user_email=attacker%40evil.com&user_pass=P%40ssw0rd123&role=administrator&_wpnonce=...

The server-side processing that made this possible looked conceptually like the following:

// Vulnerable code pattern (pre-fix)
$user_data = array(
    'user_login' => sanitize_user( $_POST['user_login'] ),
    'user_email' => sanitize_email( $_POST['user_email'] ),
    'user_pass'  => $_POST['user_pass'],
    'role'       => $_POST['role'], // No validation performed
);
$user_id = wp_insert_user( $user_data );

Because wp_insert_user() trusts its caller, a valid role name in the role key is accepted without question. From WordPress core's perspective, this is a legitimate request. The plugin was solely responsible for restricting what role names were permissible, and it abdicated that responsibility entirely.

The simplicity of this attack was precisely what led to its inclusion in the Metasploit Framework (PR #20746). Metasploit is the dominant tool for automated penetration testing and, in adversarial contexts, for scripted mass exploitation. A Metasploit module reduces the barrier to attack from "write an HTTP request" to "run one command." Combined with automated site discovery tools that scan for Elementor-based sites and identify the King Addons plugin, attackers were able to target thousands of sites with minimal effort.

Real-World Impact

Wordfence's telemetry recorded over 48,400 blocked exploitation attempts beginning November 9, 2025 — the date mass exploitation began. This figure represents only attacks against sites protected by Wordfence's firewall. The total volume of exploitation attempts across all WordPress sites in the affected version range was substantially higher.

Attacks were observed continuing through December 2025, targeting sites that had not yet applied the patch. The Metasploit module's availability meant the exploitation campaigns were sustained and automated rather than isolated incidents.

An attacker who successfully creates an administrator account can:

  • Upload PHP backdoor files via the media library or theme/plugin editor, establishing persistent access that survives a plugin patch or even deletion
  • Modify or delete all site content, including posts, pages, and custom post types
  • Harvest registered user data: email addresses, usernames, and hashed passwords
  • Access WooCommerce order histories, customer addresses, and any stored payment metadata
  • Embed malicious JavaScript to perform drive-by attacks against site visitors
  • Register the site as a command-and-control node for further attacks against other infrastructure

The attack blends in well because it uses the standard user registration endpoint. Web server access logs record nothing unusual — a POST request to a registration endpoint is indistinguishable from a legitimate sign-up unless the user list is being actively monitored for unexpected administrator accounts.

Fix and Lessons

Fix: Update King Addons for Elementor to version 51.1.35 or later. The patched version enforces a server-side role restriction on the registration handler, ensuring the assigned role is always capped at the configured safe default regardless of what the request body contains. Any role value submitted by the client is ignored.

Immediate response checklist:

  1. Update the plugin to version 51.1.35 or later immediately.
  2. Audit the WordPress user list (Users > All Users, filtered to Administrator) for any accounts you did not create.
  3. For each suspicious account, record the registration date and any associated IP address from server logs, then revoke the account.
  4. Search wp-content/uploads/ and subdirectories for .php files — these are the most common locations for dropped backdoors.
  5. Verify that theme files and active plugin files have not been modified since the compromise window.
  6. If you find evidence of a backdoor, treat the entire site as compromised and restore from a pre-compromise backup rather than attempting to clean in place.

Development lessons:

  1. The client cannot decide its own privilege level: Any field that influences the role, capability, or permission level of a newly created entity must be determined by the server, not accepted from client input. There is no valid use case in which an unauthenticated user should specify their own WordPress role.

  2. Hardcode or allowlist role assignments: Registration handlers should either hardcode the assigned role as a constant ('subscriber') or validate the input against an explicit list of permissible values using a strict comparison. A single in_array($role, ['subscriber', 'contributor'], true) check would have prevented this vulnerability entirely.

  3. Front-end registration forms are the highest-risk attack surface: Any code path reachable by unauthenticated users requires the strictest input validation. Privilege-related fields must never be exposed as form parameters, regardless of whether the form UI itself presents them.

  4. A Metasploit module defines the patching deadline as "today": When a vulnerability has a public Metasploit module, the exploitation barrier is effectively zero. CVSS 9.8 alone demands urgent patching; a Metasploit module eliminates any remaining justification for delay.

  5. Plugin version ranges that span years indicate deferred maintenance: The affected range of 24.12.92 through 51.1.14 spans an enormous number of releases. Users running older versions within that range likely had automatic updates disabled. Enabling automatic minor-version updates for security releases is strongly recommended.

Detection with Nyambush

Nyambush scans WordPress sites and detects installed plugins along with their versions. When King Addons for Elementor is detected at a version within the affected range (24.12.92 through 51.1.14), Nyambush flags it as CVE-2025-8489 and reports it as a Critical-severity finding.

Vulnerabilities with a corresponding Metasploit module are tagged in Nyambush's findings to indicate that fully automated exploitation tooling exists. These findings are surfaced with the highest priority and include guidance on immediate remediation steps rather than just a version upgrade recommendation.

Continuous monitoring is especially important for vulnerabilities in this category. The window between initial disclosure and mass exploitation began within days for CVE-2025-8489, and the exploitation campaign ran for months. Weekly or monthly manual checks are insufficient to catch that window. Scheduled automated scans ensure that a newly disclosed vulnerability is detected and reported at the next scan interval, giving site owners the earliest possible opportunity to patch before attackers arrive.

Share this article:Post on X

Is your domain secure?

Run a free scan with Nyambush to check your security risks right now.

Back to articles