Critical flaw in WordPress add-on for Elementor exploited in attacks

News

Featured
Latest

North Korea lures engineers to rent identities in fake IT worker scheme

Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets

Microsoft "mitigates" Windows LNK flaw exploited as zero-day

University of Phoenix discloses data breach after Oracle hack

Russia blocks FaceTime and Snapchat over use in terrorist attacks

Create compliance docs with this $40 governance & cybersecurity bundle

CISA warns of Chinese "BrickStorm" malware attacks on VMware servers

Contractors with hacking records accused of wiping 96 govt databases

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityCritical flaw in WordPress add-on for Elementor exploited in attacks

Critical flaw in WordPress add-on for Elementor exploited in attacks

By Bill Toulas

December 3, 2025
04:31 PM
0

Attackers are exploiting a critical-severity privilege escalation vulnerability (CVE-2025–8489) in the King Addons for Elementor plugin for WordPress, which lets them obtain administrative permissions during the registration process.
The threat activity started on October 31, just a day after the issue was publicly disclosed. So far, the Wordfence security scanner from Defiant, a company that provides security services for WordPress websites, has blocked more than 48,400 exploit attempts.
King Addons is a third-party add-on for Elementor, a popular visual page builder plugin for WordPress sites. It is used on roughly 10,000 websites, providing additional widgets, templates, and features.
CVE-2025–8489, discovered by researcher Peter Thaleikis, is a flaw in the plugin’s registration handler that allows anyone signing up to specify their user role on the website, including the administrator role, without enforcing any restrictions.
According to observations from Wordfence, attackers send a crafted ‘admin-ajax.php’ request specifying ‘user_role=administrator,’ to create rogue admin accounts on targeted sites.

Malicious requestSource: Wordfence
The researchers noticed a peak in the exploitation activity between November 9 and 10, with two IP addresses being the most active: 45.61.157.120 (28,900 attempts) and 2602:fa59:3:424::1 (16,900 attempts).
Wordfence provides a more extensive list of offensive IP addresses and recommends that website administrators look for them in the log files. The presence of new administrator accounts is also a clear sign of compromise.
Website owners are advised to upgrade to version 51.1.35 of King Addons, which addresses CVE-2025–8489, released on September 25.
Wordfence researchers are also warning of another critical vulnerability in the Advanced Custom Fields: Extended plugin, active on more than 100,000 WordPress websites, which can be exploited by an unauthenticated attacker to execute code remotely.
The flaw affects versions 0.9.0.5 through 0.9.1.1 of the plugin and is currently tracked as CVE-2025-13486. It was discovered and reported responsibly by Marcin Dudek, the head of the national computer emergency response team (CERT) in Poland.
The vulnerability is "due to the function accepting user input and then passing that through call_user_func_array(),” Wordfence explains.
“This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.”
The security issue was reported on November 18, and the plugin vendor addressed it in version 0.9.2 of Advanced Custom Fields: Extended, released a day after receiving the vulnerability report.
Given that the flaw can be leveraged without authentication only through a crafted request, the public disclosure of technical details is likely to generate malicious activity.
Website owners are advised to move to the latest version as soon as possible or disable the plugin on their sites.

Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Get the guide

Related Articles:
Hackers launch mass attacks exploiting outdated WordPress pluginsW3 Total Cache WordPress plugin vulnerable to PHP command injectionHackers exploit WordPress plugin Post SMTP to hijack admin accountsWordPress security plugin exposes private data to site subscribersGoogle fixes two Android zero days exploited in attacks, 107 flaws

Actively Exploited
Addons
Elementor
Elevation of Privileges
Plugin
Remote Code Execution
Website
WordPress

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article
Next Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Popular Stories

ChatGPT is down worldwide, conversations disappeared for users

Marquis data breach impacts over 74 US banks, credit unions

Glassworm malware returns in third wave of malicious VS Code packages

Sponsor Posts

Hackers love the holidays! Share FREE Security Awareness Training to keep family & friends cyber-safe!

Empowering IT teams with intelligence driven cyber threat research.

Overdue a password health-check? Audit your Active Directory for free

AI is a data-breach time bomb: Read the new report

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2025 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

The security landscape for WordPress websites is currently facing significant vulnerabilities, as highlighted by a recent incident involving the King Addons for Elementor plugin. This report details a critical privilege escalation flaw (CVE-2025-8489) that enabled attackers to gain administrative access to websites using the plugin. The vulnerability, discovered by Peter Thaleikis, originated with a crafted ‘admin-ajax.php’ request specifying ‘user_role=administrator,’ leading to the creation of rogue administrator accounts. Between October 31 and November 10, activity peaked with 28,900 and 16,900 attempts respectively, traced to specific IP addresses – 45.61.157.120 and 2602:fa59:3:424::1 – and documented by Wordfence.

The incident underscores a broader concern, as Wordfence researchers identified another, separate critical vulnerability within the Advanced Custom Fields: Extended plugin (CVE-2025-13486), affecting versions 0.9.0.5 through 0.9.1.1. This flaw, discovered and responsibly reported by Marcin Dudek, allows unauthenticated attackers to execute arbitrary code on the server via the function accepting user input and passing it through call_user_func_array(). This highlights the potential for remote code execution in previously vulnerable plugins.

The timeline of events is crucial: the initial flaw in King Addons was publicly disclosed on October 31, followed by a surge in exploitation activity. The Advanced Custom Fields: Extended vulnerability was reported on November 18, and version 0.9.2 of the plugin, addressing this issue, was released a day later. Given the ease of exploitation – only requiring a crafted request – the public disclosure of technical details likely triggered a significant increase in malicious activity, further emphasizing the importance of rapid response and proactive security measures.

The immediate recommendations from Wordfence are to upgrade to version 51.1.35 of King Addons and/or disable the plugin entirely for impacted websites. Monitoring website logs for the presence of new administrator accounts is strongly advised. This incident serves as a broader reminder for WordPress users to maintain vigilance, regularly update all plugins, and implement robust security practices.

Furthermore, the details surrounding this event reinforce the need for comprehensive vulnerability management strategies, particularly when utilizing third-party plugins. It is important to note that this is part of an ongoing pattern of vulnerabilities within WordPress plugins, stressing the need for diligence and careful selection of approved and well-maintained plugins, alongside active monitoring for emerging threats.