Critical Elementor Plugin Vulnerability Puts Thousands of WordPress Sites at Risk
Today, the WordPress ecosystem serves as the backbone for millions of websites worldwide. Yet even a small flaw in a seemingly minor plugin can trigger serious consequences. Recently, such a situation unfolded when a critical vulnerability discovered in the popular “King Addons for Elementor” plugin exposed thousands of websites to potential compromise.
The vulnerability, registered as CVE-2025-8489 with a 9.8 Critical CVSS score, is categorized among the most severe. More concerning is the fact that attackers do not need authentication to exploit it: by sending a specially crafted request, they can create a new administrator-level account and gain complete control over a website.
How the Vulnerability Works
In plugin versions 24.12.92 through 51.1.14, the user registration mechanism contained a critical flaw. It failed to restrict which roles could be assigned during account creation, allowing attackers to exploit this weakness.
By sending a crafted request to admin-ajax.php with the parameter:
user_role=administrator
an attacker could create a new account with full administrative privileges — without logging in, providing credentials, or having any prior access.
Once inside, a threat actor can:
- modify all site content,
- install malicious plugins or themes,
- plant hidden backdoors,
- redirect users to phishing or harmful websites,
- spread spam and malicious content.
In short — the site can be completely taken over.
Active Exploitation Already Underway
Following public disclosure on October 30, 2025, attackers quickly began exploiting the flaw. According to Wordfence, its firewall has already recorded more than 48,400 exploitation attempts linked to this vulnerability.
The most active attacking IP addresses include:
| IP Address | Blocked Requests |
|---|---|
| 45.61.157.120 | 28,900+ |
| 2602:fa59:3:424::1 | 16,900+ |
| 182.8.226.228 | 300+ |
| 138.199.21.230 | 100+ |
| 206.238.221.25 | 100+ |
A significant spike in attacks was observed on November 9–10, 2025.
Mitigation and Protective Measures
The plugin developer released a patched version, 51.1.35, on September 25, 2025.
Wordfence deployed firewall rules for Premium users on August 4, and for free users on September 3.
If your website uses this plugin, immediate action is required:
1. Update the plugin to the latest version
Vulnerable versions: 24.12.92 — 51.1.14
Patched version: 51.1.35
2. Review all administrator accounts
Remove any unfamiliar or suspicious accounts immediately.
3. Analyze server and access logs
Look for suspicious requests, especially from the identified attack IP addresses.
4. Check for unauthorized changes to content, themes, or plugins
5. If you suspect a compromise, contact security professionals
Incident response and cleanup may be necessary to fully restore site integrity.
The discovery of this vulnerability in “King Addons for Elementor” demonstrates once again how even a small weakness in the WordPress ecosystem can lead to severe consequences. With tens of thousands of exploitation attempts already recorded, the threat is both real and urgent.
Timely updates, administrator oversight, log monitoring, and continuous security checks are essential steps to protect websites and prevent full-scale compromise.
