Critical Privilege Escalation and File Upload Vulnerabilities in King Addons for Elementor
More than 10,000 WordPress sites using the King Addons for Elementor plugin are at risk of total site compromise due to two critical vulnerabilities. The first flaw, an unauthenticated privilege escalation (CVE-2025-8489), allows attackers to register new accounts with administrator privileges by exploiting improper role restrictions in plugin versions 24.12.92 through 51.1.14. The second vulnerability, an unauthenticated arbitrary file upload (CVE-2025-6327), enables attackers to inject malicious files into various directories by abusing an AJAX handler's exposed nonce, further increasing the risk of site takeover.
Security researchers from Patchstack and Wordfence have confirmed that both vulnerabilities are remotely exploitable and require no authentication, making them highly attractive targets for threat actors. Site administrators are strongly urged to update to patched versions of the plugin, which now include a role allowlist, improved input sanitization for account creation, and stricter file type validation in the upload handler. Immediate patching is recommended to prevent exploitation and potential full compromise of affected WordPress sites.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Critical King Addons privilege-escalation flaw disclosed as CVE-2025-8489
A critical unauthenticated privilege-escalation vulnerability affecting the King Addons for Elementor WordPress plugin was publicly disclosed as CVE-2025-8489. The issue impacts versions from 24.12.92 through 51.1.14 and could affect thousands of websites using the extension.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2025-8489 - King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor 24.12.92 - 51.1.14 - Unauthenticated Privilege Escalation
cvefeed.io
Open sourceThousands of websites impacted by critical Elementor King Addons extension flaws
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Privilege Escalation Vulnerability in King Addons for Elementor Exploited
A critical privilege escalation vulnerability (CVE-2025-8489) in the King Addons for Elementor WordPress plugin has been actively exploited by attackers. The flaw, present in versions 24.12.92 through 51.1.14, allows unauthenticated users to register as administrators by specifying the `administrator` role during the registration process via a crafted request to the `admin-ajax.php` endpoint. This vulnerability, discovered by Peter Thaleikis and patched in version 51.1.35 on September 25, 2025, affects over 10,000 active installations. Wordfence has reported blocking more than 48,400 exploit attempts since the public disclosure, with mass exploitation beginning in early November 2025. Attackers have used several IP addresses, with two being particularly active, to create rogue admin accounts and potentially seize control of vulnerable sites. Successful exploitation enables attackers to upload malicious code, deliver malware, redirect visitors, or inject spam into compromised sites. Security researchers recommend that website owners upgrade to the patched version immediately and check for unauthorized administrator accounts as a sign of compromise. Wordfence has provided a list of offensive IP addresses for administrators to monitor in their logs. The incident highlights the ongoing risk posed by third-party WordPress plugins and the importance of timely patching and monitoring for suspicious activity.
Mar 21, 2026
Critical WordPress Plugin Flaws Expose Sites to File Upload, SQL Injection, and Takeover
Multiple **WordPress plugins** were flagged for severe vulnerabilities that could let attackers take over sites through unauthenticated file upload, SQL injection, arbitrary file deletion, and authorization bypass. References point to issues in plugins including **WP Duplicate**, **Ninja Forms File Upload**, **Ultimate Member**, **Product Addons for WooCommerce**, **CleanTalk Spam Protect**, **Ally**, **Perfmatters**, and **Kali Forms**, alongside identifiers such as **`CVE-2024-48930`**, **`CVE-2025-13192`**, and **`CVE-2026-1104`**. Several flaws were described as allowing arbitrary plugin installation, malicious file upload, or direct database manipulation, creating a path to remote code execution and full site compromise. Wordfence reports indicate the exposure spans **hundreds of thousands of WordPress sites**, with some bugs already under **active exploitation**. The most serious cases include an unauthenticated SQL injection flaw in the **Ally** plugin affecting roughly **400,000 sites**, an arbitrary file deletion issue in **Perfmatters** affecting about **200,000 sites**, and active attacks targeting a critical flaw in **Kali Forms**. Taken together, the disclosures show a broad wave of high-impact plugin security failures that increase the risk of website defacement, malware deployment, data theft, and administrator-level compromise across the WordPress ecosystem.
May 25, 2026
Critical WordPress Plugin Flaws Expose Sites to RCE and Privilege Escalation
Two high-severity vulnerabilities have been disclosed in widely deployed WordPress plugins, exposing internet-facing sites to **unauthenticated compromise**. `CVE-2026-3584` affects **Kali Forms** through version `2.4.9` and allows **remote code execution** because user-controlled input can be mapped into internal placeholder storage and later invoked via `call_user_func` in the `form_process` path. The issue is classified as `CWE-94` and carries a `CVSS 3.1` score with the vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating critical impact on confidentiality, integrity, and availability. A second flaw, `CVE-2026-4038`, affects **Aimogen Pro** through version `2.7.5` and enables **unauthenticated privilege escalation** through an arbitrary function call in `aiomatic_call_ai_function_realtime` caused by a missing capability check. According to the disclosure, attackers can invoke WordPress functions such as `update_option` to change the default registration role to administrator and enable user registration, effectively creating a path to full site takeover. The vulnerability is tracked as `CWE-862` and was likewise rated with a high-impact `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`.
Mar 21, 2026