Unauthenticated Administrator Account Creation in King Addons for Elementor
CVE-2025-8489 is a critical privilege escalation vulnerability in the King Addons for Elementor WordPress plugin affecting versions 24.12.92 through 51.1.14. The flaw is in the plugin’s user registration flow, reported in the registration handler and specifically referenced as handle_register_ajax(), exposed through /wp-admin/admin-ajax.php using the action king_addons_user_register. The vulnerable code improperly trusts a client-supplied user_role parameter during account creation and does not adequately restrict which roles may be assigned. As a result, an unauthenticated attacker can submit a crafted registration request with user_role set to administrator and create an administrator-level account on the target WordPress site.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a single Metasploit module targeting a critical unauthenticated privilege escalation vulnerability (CVE-2025-8489) in the King Addons for Elementor WordPress plugin (versions 24.12.92 to 51.1.14). The exploit works by abusing the 'handle_register_ajax' function, which allows an attacker to specify the 'user_role' parameter during registration, enabling the creation of an administrator account without authentication. The attacker must supply the path to a WordPress page containing the vulnerable widget to extract a required nonce from the page's JavaScript. Once an admin account is created, the module uploads a malicious plugin (containing a PHP payload) and executes it to achieve remote code execution (RCE) on the server. The module is weaponized, supporting multiple payload types (PHP, command shell) and platforms (PHP, Unix/Linux, Windows). The main attack vector is network-based, exploiting HTTP endpoints exposed by the vulnerable WordPress plugin. The code is structured as a standard Metasploit module, with clear separation of functions for nonce extraction, user creation, and payload upload/execution.
Recent activity
39 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A privilege escalation vulnerability in the WordPress King Addons plugin, referenced as a Metasploit module PR.
WordPress King Addons for Elementor privilege escalation allowing unauthenticated attackers to create/admin accounts by specifying administrator role during registration; under active exploitation.
An unauthenticated privilege escalation / account creation flaw in the King Addons for Elementor WordPress plugin that allows attackers to create administrator accounts by abusing the plugin’s AJAX user registration endpoint with a crafted user_role parameter.
A critical privilege-escalation flaw in the King Addons for Elementor WordPress plugin registration handler that allows unauthenticated users to set their own role (including administrator) during signup, enabling creation of rogue admin accounts.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.