CVE-2025-8489
King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor 24.12.92 - 51.1.14 - Unauthenticated Privilege Escalation
Description
The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due to the plugin not properly restricting the roles that users can register with. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.
INFO
Published Date :
Oct. 31, 2025, 7:15 a.m.
Last Modified :
Nov. 4, 2025, 3:41 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
Affected Products
The following products are affected by CVE-2025-8489
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Update the King Addons plugin to the latest version.
- Review and restrict user role registration capabilities.
- Remove the plugin if not actively used.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-8489.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-8489 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-8489
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-8489 vulnerability anywhere in the article.
-
TheCyberThrone
Microsoft Patch Tuesday December 2025
Microsoft’s final Patch Tuesday of 2025, released on December 9, addresses approximately 56-57 vulnerabilities across Windows, Office, Exchange, and related components, including three zero-days and s ... Read more
-
TheCyberThrone
Apache Tika CVE-2025-66516 Scores Perfect 10
December 6, 2025CVE-2025-66516, a critical XXE vulnerability in Apache Tika’s core with CVSS 10.0, exposes organizations to data exfiltration and SSRF through malicious PDF uploads, affecting document ... Read more
-
TheCyberThrone
React2Shell CVE-2025-55182- Shaking React and Next.js Ecosystems
React Server Components promised a revolution in web development—seamless server-side rendering with client interactivity. But a critical flaw dubbed React2Shell has turned that promise into a widespr ... Read more
-
TheCyberThrone
King Addons vulnerability CVE-2025-8489 for Elementor Plugin
December 4, 2025A critical security vulnerability, tracked as CVE-2025-8489, has been discovered in the popular King Addons for Elementor WordPress plugin, affecting versions from 24.12.92 through 51. ... Read more
-
The Hacker News
WordPress King Addons Flaw Under Active Attack Lets Hackers Make Admin Accounts
Dec 03, 2025Ravie LakshmananVulnerability / Website Security A critical security flaw impacting a WordPress plugin known as King Addons for Elementor has come under active exploitation in the wild. ... Read more
-
CybersecurityNews
Critical Elementor Plugin Vulnerability Let Attackers Takeover WordPress Site Admin Control
A critical security flaw in the popular “King Addons for Elementor” WordPress plugin has left thousands of websites at risk of complete takeover, security researchers have warned. The vulnerability, t ... Read more
-
CybersecurityNews
Critical Elementor Plugin Vulnerability Let Attackers Takeover WordPress Site Admin Control
A serious vulnerability has been discovered in the King Addons for Elementor WordPress plugin, affecting more than 10,000 active installations worldwide. The flaw allows unauthenticated attackers to g ... Read more
-
Daily CyberSecurity
CISA Warns: Critical Iskra iHUB Flaw (CVE-2025-13510) Allows Unauthenticated Smart Metering Takeover
A critical security vacuum has been discovered in smart metering infrastructure, potentially leaving utility networks exposed to remote takeover. The Cybersecurity and Infrastructure Security Agency ( ... Read more
-
Daily CyberSecurity
Critical Elementor Plugin Flaw (CVE-2025-8489, CVSS 9.8) Under Active Exploitation Allows Unauthenticated Admin Takeover
A critical security flaw in a popular WordPress plugin has triggered a massive wave of exploitation attempts, with threat actors actively trying to seize control of vulnerable websites by registering ... Read more
-
Daily CyberSecurity
Critical WordPress Theme Flaw (CVE-2025-5397, CVSS 9.8) Under Active Exploitation Allows Unauthenticated Admin Takeover
An extremely severe security vulnerability has been discovered and is being actively exploited in the Jobmonster – Job Board WordPress Theme, a popular theme used by nearly 5.6k customers to connect e ... Read more
-
Daily CyberSecurity
Critical WordPress Plugin Flaw (CVE-2025-8489, CVSS 9.8) Allows Unauthenticated Admin Takeover
A critical security vulnerability has been identified and is being actively exploited in the King Addons for Elementor plugin, a popular toolkit used by over 10,000 active WordPress installations. The ... Read more
-
Daily CyberSecurity
CVE-2025-11833 (CVSS 9.8): Critical Flaw Exposes 400,000 WordPress Sites to Unauthenticated Account Takeover
The Post SMTP plugin, used by over 400,000 WordPress sites to ensure reliable email delivery, has been found to contain a critical Missing Authorization vulnerability that can lead to complete Account ... Read more
The following table lists the changes that have been made to the
CVE-2025-8489 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
New CVE Received by [email protected]
Oct. 31, 2025
Action Type Old Value New Value Added Description The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due to the plugin not properly restricting the roles that users can register with. This makes it possible for unauthenticated attackers to register with administrator-level user accounts. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-269 Added Reference https://plugins.trac.wordpress.org/browser/king-addons/tags/24.12.93/includes/widgets/Login_Register_Form/Login_Register_Form_Ajax.php#L353 Added Reference https://plugins.trac.wordpress.org/browser/king-addons/tags/51.1.35/includes/widgets/Login_Register_Form/Login_Register_Form_Ajax.php#L160 Added Reference https://www.wordfence.com/threat-intel/vulnerabilities/id/a1bb2b06-9a3b-4428-8624-26a1202fe3b0?source=cve