Attackers are exploiting a critical-severity privilege escalation vulnerability (CVE-2025–8489) in the King Addons for Elementor plugin for WordPress, which lets them obtain administrative permissions during the registration process.
The threat activity started on October 31, just a day after the issue was publicly disclosed. So far, the Wordfence security scanner from Defiant, a company that provides security services for WordPress websites, has blocked more than 48,400 exploit attempts.
King Addons is a third-party add-on for Elementor, a popular visual page builder plugin for WordPress sites. It is used on roughly 10,000 websites, providing additional widgets, templates, and features.
CVE-2025–8489, discovered by researcher Peter Thaleikis, is a flaw in the plugin’s registration handler that allows anyone signing up to specify their user role on the website, including the administrator role, without enforcing any restrictions.
According to observations from Wordfence, attackers send a crafted ‘admin-ajax.php’ request specifying ‘user_role=administrator,’ to create rogue admin accounts on targeted sites.
Malicious request
Source: Wordfence
The researchers noticed a peak in the exploitation activity between November 9 and 10, with two IP addresses being the most active: 45.61.157.120 (28,900 attempts) and 2602:fa59:3:424::1 (16,900 attempts).
Wordfence provides a more extensive list of offensive IP addresses and recommends that website administrators look for them in the log files. The presence of new administrator accounts is also a clear sign of compromise.
Website owners are advised to upgrade to version 51.1.35 of King Addons, which addresses CVE-2025–8489, released on September 25.
... continue reading