A critical security flaw in the King Addons for Elementor plugin is being actively exploited, allowing attackers to gain full administrator access to WordPress sites.
The vulnerability, tracked as CVE-2025-8489, was publicly disclosed on October 30, and malicious activity began almost immediately the following day. Wordfence, a security platform from Defiant, reports that it has already blocked more than 48,400 attempts to exploit the issue.
King Addons is a third-party extension used by around 10,000 sites to enhance Elementor with extra widgets, templates, and features. Researcher Peter Thaleikis discovered that the plugin’s registration handler failed to enforce role restrictions. This means anyone registering on a site could choose the administrator role by sending a crafted admin-ajax.php request.
According to Wordfence, attackers are abusing this flaw by sending requests that include “user_role=administrator,” allowing them to create rogue admin accounts. The highest activity was recorded between November 9 and 10, with two IP addresses standing out: 45.61.157.120, which made nearly 29,000 attempts, and 2602:fa59:3:424::1, which made almost 17,000 attempts.
Website owners using King Addons should check server logs for suspicious IP addresses and look for any newly created administrator accounts they did not authorize. Updating the plugin to version 51.1.35, released on September 25, fully addresses the issue.
A second critical vulnerability is also affecting another popular WordPress plugin, Advanced Custom Fields: Extended, which is active on more than 100,000 websites. Tracked as CVE-2025-13486, this flaw allows unauthenticated attackers to execute code remotely on the server. Versions 0.9.0.5 through 0.9.1.1 are vulnerable due to user input being passed to call_user_func_array(), creating a path for remote code execution.
The issue was reported on November 18 by Marcin Dudek, head of Poland’s national CERT. The developer released a fix the next day in version 0.9.2. With the vulnerability requiring only a crafted request to exploit, researchers expect a rise in malicious activity following the public disclosure.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Website administrators using either plugin should update immediately or disable the plugins until patches can be applied to avoid potential compromise.
