Critical Elementor Plugin Flaw (CVE-2025-8489, CVSS 9.8) Under Active Exploitation Allows Unauthenticated Admin Takeover

A critical security flaw in a popular WordPress plugin has triggered a massive wave of exploitation attempts, with threat actors actively trying to seize control of vulnerable websites by registering themselves as administrators.

According to a new report from Wordfence, the vulnerability affects King Addons for Elementor, a plugin installed on over 10,000 sites. Tracked as CVE-2025-8489, the flaw carries a CVSS score of 9.8 (Critical), representing the highest level of severity.

The vulnerability is a classic case of Privilege Escalation. It stems from a lack of input validation during the user registration process.

The plugin utilizes a function called handle_register_ajax() to process new accounts. Ideally, a registration form should force new users into a low-privilege role, such as “Subscriber.” However, the code in King Addons blindly accepted user input for the role definition.

“Unfortunately, this function was implemented insecurely, allowing unauthenticated attackers to specify their role without any restrictions, which means they could grant themselves the administrator role,” the report explains.

By simply modifying the registration request to include the parameter user_role=administrator, an attacker can bypass all security checks and instantly become a site admin.

The gap between the vulnerability disclosure and active exploitation was virtually non-existent.

• Patch Released: September 25, 2025
• Public Disclosure: October 30, 2025
• Attacks Begin: October 31, 2025

“Our records indicate that attackers started exploiting the issue the next day, on October 31st, 2025.” Since that date, the volume of attacks has exploded. “The Wordfence Firewall has already blocked over 48,400 exploit attempts targeting this vulnerability.”

Because this flaw allows for immediate administrative access, the potential damage is absolute. “As with any Privilege Escalation vulnerability, this vulnerability can be used for a complete site compromise.”

Once logged in as an administrator, threat actors can:

• Upload Malicious Files: “This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors.”
• Hijack Traffic: “They could modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.”

Wordfence has identified several IP addresses aggressively targeting this specific vulnerability. Administrators should review their access logs for requests originating from the following top offenders:

• 45.61.157.120 (Over 28,900 blocked requests)
• 2602:fa59:3:424::1 (Over 16,900 blocked requests)
• 182.8.226.228
• 138.199.21.230
• 206.238.221.25

The vulnerability affects plugin versions 24.12.92 to 51.1.14. It has been patched in version 51.1.35.

Related Posts:

• Facebook blocks data-analytics apps due to violate sharing of public User-Data policy
• CVE-2025-24752: Massive WordPress Plugin Vulnerability Exposes Millions to XSS Attacks
• CVE-2023-5360: WordPress Plugin Zero-Day Affects 200k Sites