Severity
High
Analysis Summary
A critical security flaw in the popular King Addons for Elementor WordPress plugin has put thousands of websites at risk of complete takeover. Tracked as CVE-2025-8489, the vulnerability allows unauthenticated attackers to register new accounts with full administrator privileges by exploiting an insecure registration function. The flaw affects plugin versions 24.12.92 through 51.1.14, and with over 10,000 active installations, this represents a significant threat to site owners.
The vulnerability occurs because the plugin’s registration code fails to properly restrict which user roles can be assigned during signup. By sending a crafted request to the WordPress admin-ajax.php endpoint with the “user_role” field set to “administrator,” attackers can create an admin-level account without prior authentication. Once obtained, these privileges allow attackers to fully control the website, including installing malicious plugins or themes, modifying content, redirecting visitors, or injecting spam and phishing material.
The flaw carries a CVSS score of (Critical), and the plugin developer released a patched version, 51.1.35, on September 25th, 2025. Security firm Wordfence implemented firewall rules to block attacks, first for premium users on August 4th and then for free users on September 3rd. Despite these protections, attackers began exploiting the bug after public disclosure on October 30th, 2025, with Wordfence reporting over 48,400 blocked attempts, primarily originating from a handful of IP addresses, including 45.61.157.120 and 2602:fa59:3:424::1.
Website owners using affected versions are strongly urged to update to version 51.1.35 or later immediately, check for any unknown administrator accounts, and monitor server and access logs for activity from known malicious IPs. Suspicious changes to content, plugins, or themes should be investigated promptly. For sites suspected of compromise, professional incident response and cleanup services are recommended to mitigate potential damage and prevent further unauthorized access.
Impact
- Gain Access
Indicators of Compromise
CVE
CVE-2025-8489
Affected Vendors
Remediation
- Upgrade King Addons for Elementor to version 51.1.35 or later to patch the vulnerability.
- Check for unknown or suspicious admin accounts and remove any unauthorized users.
- Monitor server and access logs for requests from known malicious IPs, including 45.61.157.120, 2602:fa59:3:424::1, 182.8.226.228, 138.199.21.230, and 206.238.221.25.
- Look for unusual changes to pages, posts, themes, or plugins that could indicate compromise.
- Use firewall rules to block exploit attempts targeting this vulnerability.
- Ensure all site admins follow best security practices, including strong passwords and limited access.
- If compromise is suspected, engage professional incident response and cleanup services immediately.
- Maintain up-to-date backups to allow recovery in case of a successful attack.