Ddos 
A critical security vulnerability has been identified and is being actively exploited in the King Addons for Elementor plugin, a popular toolkit used by over 10,000 active WordPress installations.
The flaw, CVE-2025-8489, is a severe Unauthenticated Privilege Escalation issue, rated with a maximum severity CVSS 9.8. This allows anyone to instantly gain full control over an affected website.
The vulnerability stems from a basic coding oversight within the plugin’s registration functionality. The King Addons for Elementor plugin, in versions 24.12.92 to 51.1.14, fails to properly restrict the user role during the registration process.
An unauthenticated attacker—someone who is not logged in—can exploit this gap by simply adding the role parameter (user_role=administrator) when registering a new account.
Once the attacker registers as an administrator, they have full control of the website, including the ability to install malicious plugins, change content, and conduct further attacks.
This flaw has the most severe CVSS base metrics, including Network Attack Vector, Low Attack Complexity, and No Privileges Required, making it trivial to exploit at scale.
The vulnerability is already under active assault in the wild. Wordfence reported blocking 170 attacks targeting this specific vulnerability in just the past 24 hours.
All users of the King Addons for Elementor plugin must prioritize updating to the patched version (51.1.35 or later) immediately to safeguard their sites against a total takeover.
Related Posts:
- GitLab Patches High-Severity Flaws: Update Now to Prevent XSS and Account Takeover
- GitLab Releases Security Update to Patch XSS and Account Takeover Flaws
- WordPress Issues Urgent Security Update to Patch Multiple Vulnerabilities
- Urgent GitLab Security Alert: High-Severity Flaws Allow Account Takeover & Code Injection!
Donate