Privilege Escalation in King Addons for Elementor Plugin by WordPress

CVE-2025-8489

What is CVE-2025-8489?

CVE-2025-8489 is a vulnerability found in the King Addons for Elementor plugin for WordPress, specifically affecting versions from 24.12.92 to 51.1.14. This plugin is designed to enhance Elementor, a popular page builder for WordPress, by adding various elements, widgets, templates, and features. The identified vulnerability arises from inadequate restrictions on user role registration, allowing unauthorized users to register as administrator-level accounts. This flaw presents a serious risk, as it could enable malicious actors to gain elevated privileges within a WordPress site, effectively compromising the entire system and potentially leading to unauthorized modifications, data exposure, or complete site takeover.

Potential impact of CVE-2025-8489

1. Unauthorized Access and Control: The primary risk associated with CVE-2025-8489 is that it allows unauthenticated attackers to gain administrator-level access. This level of control can result in the manipulation or deletion of critical site data, altering user privileges, and installing malicious code.

2. Data Breach and Integrity Risks: By exploiting this vulnerability, attackers could access sensitive user information, such as personal data and financial records, stored within the WordPress installation. The integrity of the website could also be compromised, leading to trust issues for users and potential legal ramifications for organizations.

3. Propagation of Further Attacks: Once an attacker has administratively compromised a WordPress site, they may leverage this access to deploy additional malware, conduct phishing campaigns, or even use the site as part of a botnet to facilitate further attacks on other targets, thus expanding the overall threat landscape.

References