WordPress King Addons Flaw Under Active Attack Lets Hackers Make Admin Accounts

WordPress King Addons Flaw Under Active Attack Lets Hackers Make Admin Accounts

Posted on By CWS

Dec 03, 2025Ravie LakshmananVulnerability / Web site Safety
A crucial safety flaw impacting a WordPress plugin generally known as King Addons for Elementor has come below lively exploitation within the wild.
The vulnerability, CVE-2025-8489 (CVSS rating: 9.8), is a case of privilege escalation that enables unauthenticated attackers to grant themselves administrative privileges by merely specifying the administrator person function throughout registration.
It impacts variations from 24.12.92 via 51.1.14. It was patched by the maintainers in model 51.1.35 launched on September 25, 2025. Safety researcher Peter Thaleikis has been credited with discovering and reporting the flaw. The plugin has over 10,000 lively installs.

“That is because of the plugin not correctly limiting the roles that customers can register with,” Wordfence mentioned in an alert. “This makes it potential for unauthenticated attackers to register with administrator-level person accounts.”
Particularly, the problem is rooted within the “handle_register_ajax()” operate that is invoked throughout person registration. However an insecure implementation of the operate meant that unauthenticated attackers can specify their function as “administrator” in a crafted HTTP request to the “/wp-admin/admin-ajax.php” endpoint, permitting them to acquire elevated privileges.

Profitable exploitation of the vulnerability might allow a nasty actor to grab management of a prone web site that has put in the plugin, and weaponize the entry to add malicious code that may ship malware, redirect web site guests to sketchy websites, or inject spam.

Wordfence mentioned it has blocked over 48,400 exploit makes an attempt for the reason that flaw was publicly disclosed in late October 2025, with 75 makes an attempt thwarted within the final 24 hours alone. The assaults have originated from the next IP addresses –

45.61.157.120
182.8.226.228
138.199.21.230
206.238.221.25
2602:fa59:3:424::1

“Attackers might have began actively focusing on this vulnerability as early as October 31, 2025, with mass exploitation beginning on November 9, 2025,” the WordPress safety firm mentioned.
Website directors are suggested to make sure that they’re working the newest model of the plugin, audit their environments for any suspicious admin customers, and monitor for any indicators of irregular exercise.

The Hacker News Tags:, , , , , , , , ,

Related Posts

Securing CI/CD workflows with Wazuh Securing CI/CD workflows with Wazuh The Hacker News
Chinese DeepSeek-R1 AI Generates Insecure Code When Prompts Mention Tibet or Uyghurs Chinese DeepSeek-R1 AI Generates Insecure Code When Prompts Mention Tibet or Uyghurs The Hacker News
Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms The Hacker News
Russian Hacker Jailed for M Ransomware Scheme in U.S. Russian Hacker Jailed for $9M Ransomware Scheme in U.S. The Hacker News
Five New Exploited Bugs Land in CISA’s Catalog — Oracle and Microsoft Among Targets Five New Exploited Bugs Land in CISA’s Catalog — Oracle and Microsoft Among Targets The Hacker News
New FileFix Method Emerges as a Threat Following 517% Rise in ClickFix Attacks New FileFix Method Emerges as a Threat Following 517% Rise in ClickFix Attacks The Hacker News