"A critical security flaw impacting a WordPress plugin known as King Addons for Elementor has come under active exploitation in the wild. The vulnerability, CVE-2025-8489 (CVSS score: 9.8), is a case of privilege escalation that allows unauthenticated attackers to grant themselves administrative privileges by simply specifying the administrator user role during registration. It affects versions from 24.12.92 through 51.1.14. It was patched by the maintainers in version 51.1.35 released on September 25, 2025. Security researcher Peter Thaleikis has been credited with discovering and reporting the flaw. The plugin has over 10,000 active installs."
""This is due to the plugin not properly restricting the roles that users can register with," Wordfence said in an alert. "This makes it possible for unauthenticated attackers to register with administrator-level user accounts." Specifically, the issue is rooted in the "handle_register_ajax()" function that's invoked during user registration. But an insecure implementation of the function meant that unauthenticated attackers can specify their role as "administrator" in a crafted HTTP request to the "/wp-admin/admin-ajax.php" endpoint, allowing them to obtain elevated privileges."
A high-severity privilege-escalation vulnerability (CVE-2025-8489, CVSS 9.8) in King Addons for Elementor lets unauthenticated users obtain administrator privileges during registration. The flaw affects versions 24.12.92 through 51.1.14 and was fixed in version 51.1.35 released on September 25, 2025. The insecure implementation of the handle_register_ajax() registration function allows an attacker to specify the administrator role in a crafted request to /wp-admin/admin-ajax.php. Successful exploitation can yield site takeover and enable malware uploads, visitor redirection, or spam injection. Wordfence has reported tens of thousands of blocked exploit attempts since late October 2025. The plugin has over 10,000 active installs.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]