Privilege Escalation Vulnerability in King Addons for Elementor Exploited
A critical privilege escalation vulnerability (CVE-2025-8489) in the King Addons for Elementor WordPress plugin has been actively exploited by attackers. The flaw, present in versions 24.12.92 through 51.1.14, allows unauthenticated users to register as administrators by specifying the administrator role during the registration process via a crafted request to the admin-ajax.php endpoint. This vulnerability, discovered by Peter Thaleikis and patched in version 51.1.35 on September 25, 2025, affects over 10,000 active installations. Wordfence has reported blocking more than 48,400 exploit attempts since the public disclosure, with mass exploitation beginning in early November 2025. Attackers have used several IP addresses, with two being particularly active, to create rogue admin accounts and potentially seize control of vulnerable sites.
Successful exploitation enables attackers to upload malicious code, deliver malware, redirect visitors, or inject spam into compromised sites. Security researchers recommend that website owners upgrade to the patched version immediately and check for unauthorized administrator accounts as a sign of compromise. Wordfence has provided a list of offensive IP addresses for administrators to monitor in their logs. The incident highlights the ongoing risk posed by third-party WordPress plugins and the importance of timely patching and monitoring for suspicious activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Wordfence reports 48,400+ blocked exploit attempts
By early December, Wordfence disclosed that it had blocked more than 48,400 attempts to exploit CVE-2025-8489 since October 31. The company also published indicators of compromise, including attacker IP addresses, and warned site owners to audit for suspicious administrator accounts.
Mass exploitation of King Addons vulnerability peaks
Exploit activity against vulnerable King Addons installations surged around November 9–10, with Wordfence reporting this as the main peak period. Two IP addresses were said to account for most of the observed attack volume.
Attackers begin exploiting King Addons flaw in the wild
Threat actors started exploiting CVE-2025-8489 to create rogue administrator accounts on vulnerable WordPress sites via crafted admin-ajax.php requests. Wordfence said it observed attacks beginning on October 31, 2025.
Public disclosure of CVE-2025-8489 precedes exploitation
CVE-2025-8489, a critical privilege-escalation flaw in King Addons for Elementor, was publicly disclosed, revealing that crafted AJAX registration requests could assign the administrator role. Reporting indicates exploitation began one day after this disclosure.
Vendor releases patch for King Addons privilege-escalation flaw
The King Addons for Elementor plugin vendor released a fix for CVE-2025-8489 in version 51.1.35, addressing an improper role restriction issue that let unauthenticated users register as administrators. Affected versions were reported as 24.12.92 through 51.1.14.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
King Addons vulnerability CVE-2025-8489 for Elementor Plugin
thecyberthrone.in
Open sourceWordPress King Addons Flaw Under Active Attack Lets Hackers Make Admin Accounts
thehackernews.com
Open sourceCritical flaw in WordPress add-on for Elementor exploited in attacks
bleepingcomputer.com
Open sourceKing Addons flaw lets anyone become WordPress admin
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Privilege Escalation and File Upload Vulnerabilities in King Addons for Elementor
More than 10,000 WordPress sites using the King Addons for Elementor plugin are at risk of total site compromise due to two critical vulnerabilities. The first flaw, an unauthenticated privilege escalation (CVE-2025-8489), allows attackers to register new accounts with administrator privileges by exploiting improper role restrictions in plugin versions 24.12.92 through 51.1.14. The second vulnerability, an unauthenticated arbitrary file upload (CVE-2025-6327), enables attackers to inject malicious files into various directories by abusing an AJAX handler's exposed nonce, further increasing the risk of site takeover. Security researchers from Patchstack and Wordfence have confirmed that both vulnerabilities are remotely exploitable and require no authentication, making them highly attractive targets for threat actors. Site administrators are strongly urged to update to patched versions of the plugin, which now include a role allowlist, improved input sanitization for account creation, and stricter file type validation in the upload handler. Immediate patching is recommended to prevent exploitation and potential full compromise of affected WordPress sites.
Mar 21, 2026
Backdoored LA-Studio Element Kit WordPress Plugin Enables Unauthenticated Admin Account Creation
A **critical backdoor** was identified in the *LA-Studio Element Kit for Elementor* WordPress plugin (active on **20,000+ sites**), enabling **unauthenticated attackers** to create **administrator** accounts and take full control of affected websites. The issue is tracked as **CVE-2026-0920** with a **CVSS 9.8** rating, and exploitation has been reported **in the wild**. The malicious logic was embedded in the plugin’s registration flow, allowing attackers to elevate privileges during account creation and then perform typical admin-level actions such as uploading malicious files, injecting spam, or redirecting visitors. Technical reporting attributes the backdoor to **sabotage**: the vendor stated the malicious code was planted by a **former employee**, with changes occurring around the time their employment ended. The vulnerable path is the `ajax_register_handle()` function, where attackers can supply a specific registration parameter, `lakit_bkrole`, to obtain administrator capability; the code was described as **obfuscated** to evade detection. CVE documentation characterizes the weakness as improper restriction of user role assignment during registration (mapped to **CWE-269**) and points to the affected versions **up to and including 1.5.6.3**, along with upstream code references and the associated Wordfence advisory.
Mar 21, 2026
Active Exploitation of Everest Forms Pro RCE Creates Rogue WordPress Admins
Attackers are actively exploiting **CVE-2026-3300**, a critical unauthenticated remote code execution flaw in the **Everest Forms Pro** WordPress plugin, to fully compromise vulnerable sites. The bug affects versions through **1.9.12** and was fixed in **1.9.13**. It stems from the plugin’s Complex Calculation feature, where user-controlled input in `process_filter()` is concatenated into PHP code and executed with `eval()`, allowing arbitrary PHP injection through crafted form submissions, often via the `/wp-admin/admin-ajax.php` endpoint. Wordfence reported exploitation beginning on April 13 and escalating into mass attacks, with more than **29,300** exploit attempts blocked overall and over **17,900** on May 16 alone. A recurring payload creates a rogue administrator account named **`diksimarina`**, giving attackers persistent access to upload webshells, install backdoors, alter site content, and potentially pivot deeper into the hosting environment. Defenders are being urged to upgrade immediately to **1.9.13 or later**, audit WordPress administrator accounts for unauthorized users, and review logs for suspicious requests and known malicious IP activity.
Jun 9, 2026