CVE-2025-8489
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-31

Last updated on: 2025-11-04

Assigner: Wordfence

Description
The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due to the plugin not properly restricting the roles that users can register with. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-31
Last Modified
2025-11-04
Generated
2026-06-16
AI Q&A
2025-10-31
EPSS Evaluated
2026-06-14
NVD
CVE-2025-8489
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
king_addons king_addons_for_elementor *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the King Addons for Elementor WordPress plugin allows unauthenticated attackers to register user accounts with administrator-level privileges. This happens because the plugin does not properly restrict the user roles that can be assigned during registration, enabling privilege escalation from a normal user to an administrator.

Impact Analysis

This vulnerability can have severe impacts as it allows attackers to gain administrator access to a WordPress site without authentication. With administrator privileges, attackers can fully control the site, including modifying content, installing malicious code, stealing sensitive data, and disrupting site operations.

Compliance Impact

This vulnerability can negatively affect compliance with standards like GDPR and HIPAA because unauthorized administrator access can lead to data breaches, unauthorized data modification, and loss of data integrity and confidentiality. Such breaches can result in violations of data protection regulations and lead to legal and financial consequences.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized user registrations with administrator-level roles in the WordPress system. Since the vulnerability allows unauthenticated attackers to register as administrators, you can check the WordPress user list for recently created users with elevated privileges. Commands to detect this include using WP-CLI to list users and their roles, for example: `wp user list --role=administrator --field=user_login,user_email,user_registered` to identify suspicious new admin accounts. Additionally, reviewing web server logs for POST requests to the registration AJAX endpoint (e.g., `admin-ajax.php` with action related to King Addons registration) may help detect exploitation attempts. Monitoring for unusual spikes in registration attempts or registrations from suspicious IPs can also be useful. [1, 2]

Mitigation Strategies

Immediate mitigation steps include: 1) Updating the King Addons for Elementor plugin to a version later than 51.1.14 where the vulnerability is fixed. 2) Temporarily disabling user registration in WordPress settings to prevent new registrations until the plugin is updated. 3) Reviewing and removing any unauthorized administrator accounts created during the vulnerable period. 4) Implementing additional security measures such as enabling reCAPTCHA on registration forms, enforcing strong password policies, and monitoring rate limiting logs to detect and block suspicious registration attempts. 5) Applying web application firewall (WAF) rules to block suspicious registration requests targeting the vulnerable AJAX endpoints. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8489. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart