Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
A critical WordPress vulnerability in the King Addons for Elementor plugin has triggered widespread exploitation attempts across vulnerable WordPress sites. The CVE-2025-8489 vulnerability allows unauthenticated attackers to escalate privileges and register administrator accounts without authorization, leading to complete WordPress site takeover. This King Addons vulnerability was discovered on July 24, 2025, and affects over 10,000 WordPress installations running plugin versions 24.12.92 through 51.1.14. Despite a security patch released on September 25, 2025, mass exploitation began in late October with over 48,400 malicious attack attempts blocked. WordPress security teams urge immediate plugin updates and administrator account audits to prevent King Addons exploitation.
The King Addons for Elementor vulnerability CVE-2025-8489 represents a severe WordPress security flaw that allows attackers with no authentication to escalate privileges by declaring themselves administrators during the user registration process. This WordPress plugin vulnerability hands complete site control to anyone who understands how to trigger the exploit. The King Addons vulnerability was first identified on July 24, 2025, impacting more than 10,000 WordPress installations globally. The core security issue lies in how the King Addons plugin handles user registration processes, specifically a missing validation check in the handle_register_ajax() function that permits attackers to assign administrator roles without restrictions.
King Addons for Elementor versions from 24.12.92 through 51.1.14 contain the privilege escalation vulnerability tracked as CVE-2025-8489. Once WordPress attackers gain administrator privileges through this King Addons vulnerability exploitation, they can completely take over vulnerable WordPress sites by altering content, deploying spam campaigns, uploading malicious files, or redirecting website visitors to harmful destinations. The WordPress vulnerability is classified under CWE-269 (Improper Privilege Management), emphasizing the severity of the authentication bypass mechanism that enables unauthorized administrative access.
Although a King Addons security patch was released on September 25, 2025, WordPress vulnerability exploitation ramped up rapidly. Security researchers documented more than 48,400 blocked exploitation attempts, with King Addons attacks beginning on October 31, 2025, and intensifying throughout early November. Public disclosure of the CVE-2025-8489 vulnerability followed on October 30, 2025, providing attackers a critical window to weaponize the WordPress flaw before many site administrators had deployed security updates. The CISA KEV catalog added this King Addons vulnerability on October 31, 2025, reflecting active exploitation in the wild and the critical need for immediate WordPress patching.
Due to ongoing King Addons exploitation campaigns targeting WordPress sites, administrators are strongly urged to update immediately to the latest secure version 51.1.35 and verify that no unauthorized administrator accounts exist on their WordPress installations. Operators of compromised WordPress sites should consider incident response or professional cleanup assistance to contain further damage from the King Addons vulnerability. As WordPress environments remain attractive targets for cybercriminals, timely plugin patching, active security monitoring, and regular administrator account audits continue to be essential for maintaining secure WordPress site operations and preventing privilege escalation attacks.
Update the Plugin Immediately: Install the latest version of King Addons for Elementor plugin (51.1.35) without delay. This security patch fixes the CVE-2025-8489 vulnerability, and updating is the fastest way to protect your WordPress site from privilege escalation attacks and unauthorized administrator account creation.
Review Your User Accounts: Check your WordPress dashboard for any unfamiliar administrator accounts that may have been created through King Addons vulnerability exploitation. If you find suspicious WordPress accounts, remove them immediately and reset the passwords of all trusted administrator accounts to prevent further unauthorized access.
Back Up Your Site Regularly: Create automatic daily WordPress backups so you can quickly restore your site if anything goes wrong due to King Addons exploitation. Store WordPress backups in secure off-site locations and not on your live server to ensure recovery capabilities after security incidents.
Vulnerability Management: WordPress administrators should regularly assess and update software to address known vulnerabilities like CVE-2025-8489. Maintain an inventory of WordPress plugin versions and security patches, and evaluate the security practices of third-party plugin vendors, especially for critical applications and services that could enable privilege escalation.
IPv4 Addresses: 45[.]61[.]157[.]120, 182[.]8[.]226[.]228, 138[.]199[.]21[.]230, 206[.]238[.]221[.]25
IPv6 Address: 2602[:]fa59[:]3[:]424[::]1
These IP addresses have been associated with active King Addons vulnerability exploitation attempts and should be blocked at WordPress firewall and network security levels.
The King Addons vulnerability exploitation demonstrates tactics spanning Resource Development (TA0042), Initial Access (TA0001) through Exploit Public-Facing Application (T1190), Persistence (TA0003) via Create Account (T1136), and Privilege Escalation (TA0004) through Exploitation for Privilege Escalation (T1068). Attackers also utilize Obtain Capabilities (T1588) and specifically target Vulnerabilities (T1588.006) in WordPress plugins to achieve unauthorized administrative access and complete site compromise.
Get through updates and upcoming events, and more directly in your inbox