Privilege Escalation in King Addons for Elementor Plugin by WordPress
CVE-2025-8489

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: King Addons For Elementor – 4,000+ Ready Elementor Sections, 650+ Templates, 70+ Free Widgets For Elementor
Vendor: CVE Published:; 31 October 2025

Badges

📈 Score: 404👾 Exploit Exists🟣 EPSS 48%📰 News Worthy

What is CVE-2025-8489?

CVE-2025-8489 is a vulnerability found in the King Addons for Elementor plugin for WordPress, specifically affecting versions from 24.12.92 to 51.1.14. This plugin is designed to enhance Elementor, a popular page builder for WordPress, by adding various elements, widgets, templates, and features. The identified vulnerability arises from inadequate restrictions on user role registration, allowing unauthorized users to register as administrator-level accounts. This flaw presents a serious risk, as it could enable malicious actors to gain elevated privileges within a WordPress site, effectively compromising the entire system and potentially leading to unauthorized modifications, data exposure, or complete site takeover.

Potential impact of CVE-2025-8489

Unauthorized Access and Control: The primary risk associated with CVE-2025-8489 is that it allows unauthenticated attackers to gain administrator-level access. This level of control can result in the manipulation or deletion of critical site data, altering user privileges, and installing malicious code.
Data Breach and Integrity Risks: By exploiting this vulnerability, attackers could access sensitive user information, such as personal data and financial records, stored within the WordPress installation. The integrity of the website could also be compromised, leading to trust issues for users and potential legal ramifications for organizations.
Propagation of Further Attacks: Once an attacker has administratively compromised a WordPress site, they may leverage this access to deploy additional malware, conduct phishing campaigns, or even use the site as part of a botnet to facilitate further attacks on other targets, thus expanding the overall threat landscape.

Affected Version(s)

King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor * <= 51.1.14

News Articles

BleepingComputer

CVE-2025-8489

Critical flaw in WordPress add-on for Elementor exploited in attacks

Attackers are exploiting a critical-severity privilege escalation vulnerability (CVE-2025-8489) in the King Addons for Elementor plugin for WordPress, which lets them obtain administrative permissions during the registration process.

2 weeks ago

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/king-addons/ta...

EPSS Score

48% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Dec 3, 2025
📰
First article discovered by BleepingComputer
Dec 3, 2025
Vulnerability published
Oct 31, 2025
Vulnerability Reserved
Aug 1, 2025

Credit

Peter Thaleikis

JSON