A severe security flaw in the King Addons for Elementor WordPress plugin has come under active exploitation, putting thousands of websites at risk.

The vulnerability, tracked as CVE-2025-8489 with a CVSS score of 9.8, allows unauthenticated attackers to escalate privileges by registering directly as administrators. The issue stems from the plugin’s failure to restrict user roles during registration, enabling attackers to craft HTTP requests that assign themselves elevated access.

• Affected versions: 24.12.92 through 51.1.14
• Patched version: 51.1.35 (released September 25, 2025)
• Discovery: Credited to security researcher Peter Thaleikis
• Active installs: Over 10,000 sites

Wordfence explained the flaw is rooted in the insecure implementation of the function, which processes user registration requests. By exploiting this weakness, attackers can seize control of vulnerable sites, upload malicious code, redirect visitors to fraudulent domains, or inject spam content.

Since public disclosure in late October 2025, Wordfence has blocked more than 48,400 exploit attempts, including 75 attacks in the past 24 hours. The company noted that exploitation began as early as October 31, with mass campaigns ramping up by November 9. Attacks have been traced to IP addresses such as:

• 45.61.157.120
• 182.8.226.228
• 138.199.21.230
• 206.238.221.25
• 2602:fa59:3:424::1

Recommended Actions for Site Owners

Administrators are strongly advised to:

• Update immediately to version 51.1.35 or later
• Audit environments for suspicious administrator accounts
• Monitor for unusual activity or signs of compromise

This incident underscores the importance of timely patching and vigilant monitoring, especially for widely used plugins that can become prime targets for attackers.