CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical vulnerabilities in Elementor King Addons plugin affect 10,000 WordPress sites

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

The Elementor King Addons plugin, used by over 10,000 WordPress sites, has two unauthenticated critical vulnerabilities. These flaws can lead to full site takeovers. The vulnerabilities include an arbitrary file upload flaw (CVE-2025-6327) and a privilege escalation issue (CVE-2025-6325). The plugin's vendor has released version 51.1.37 to address these issues. The arbitrary file upload vulnerability allows attackers to place files in web-accessible directories due to improper nonce handling and file validation. The privilege escalation flaw permits attackers to create administrator accounts by exploiting the registration endpoint. A critical security flaw, CVE-2025-8489 (CVSS score: 9.8), is under active exploitation, allowing unauthenticated attackers to grant themselves administrative privileges. The vulnerability affects versions from 24.12.92 through 51.1.14 and was patched in version 51.1.35 released on September 25, 2025. Site administrators should update the plugin immediately, audit their environments for any suspicious admin users, and monitor for any signs of abnormal activity. The flaw in the plugin’s registration handler allows anyone signing up to specify their user role on the website, including the administrator role, without enforcing any restrictions. Attackers send a crafted 'admin-ajax.php' request specifying 'user_role=administrator,' to create rogue admin accounts on targeted sites. The peak in exploitation activity occurred between November 9 and 10, with two IP addresses being the most active: 45.61.157.120 (28,900 attempts) and 2602:fa59:3:424::1 (16,900 attempts). Wordfence provides a list of offensive IP addresses and recommends that website administrators look for them in the log files.

Timeline

  1. 03.12.2025 19:08 2 articles · 1d ago

    Active exploitation of privilege escalation flaw in Elementor King Addons plugin

    A critical security flaw, CVE-2025-8489, is under active exploitation, allowing unauthenticated attackers to grant themselves administrative privileges. The vulnerability affects versions from 24.12.92 through 51.1.14 and was patched in version 51.1.35 released on September 25, 2025. Wordfence has blocked over 48,400 exploit attempts since the flaw was publicly disclosed in late October 2025. Attackers may have started actively targeting this vulnerability as early as October 31, 2025, with mass exploitation starting on November 9, 2025. The flaw in the plugin’s registration handler allows anyone signing up to specify their user role on the website, including the administrator role, without enforcing any restrictions. Attackers send a crafted 'admin-ajax.php' request specifying 'user_role=administrator,' to create rogue admin accounts on targeted sites. The peak in exploitation activity occurred between November 9 and 10, with two IP addresses being the most active: 45.61.157.120 (28,900 attempts) and 2602:fa59:3:424::1 (16,900 attempts). Wordfence provides a list of offensive IP addresses and recommends that website administrators look for them in the log files. Site administrators are advised to audit their environments for any suspicious admin users and monitor for any signs of abnormal activity.

    Show sources
    Open in new tab
  2. 30.10.2025 18:45 2 articles · 1mo ago

    Critical vulnerabilities in Elementor King Addons plugin disclosed

    Two unauthenticated critical vulnerabilities were discovered in the Elementor King Addons plugin, affecting over 10,000 WordPress sites. The flaws include an arbitrary file upload vulnerability (CVE-2025-6327) and a privilege escalation issue (CVE-2025-6325). The vendor released version 51.1.37 to address these issues, which include role allowlists, input sanitization, and strict file type validation. Site administrators should update the plugin immediately to mitigate the risk of full site compromise. Additionally, a critical security flaw, CVE-2025-8489, is under active exploitation, allowing unauthenticated attackers to grant themselves administrative privileges. The vulnerability affects versions from 24.12.92 through 51.1.14 and was patched in version 51.1.35 released on September 25, 2025.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Fortinet FortiWeb Vulnerabilities Exploited in the Wild

Fortinet has disclosed a new medium-severity vulnerability (CVE-2025-58034) in FortiWeb, which is being actively exploited. This vulnerability, with a CVSS score of 6.7, allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. The flaw was patched in version 8.0.2. Additionally, Fortinet silently patched another critical FortiWeb vulnerability (CVE-2025-64446, CVSS score: 9.1) in the same version. Exploitation campaigns have been observed chaining these vulnerabilities to facilitate authentication bypass and command injection. Fortinet's handling of these disclosures has been criticized for its delayed and fragmented approach. This development highlights the ongoing risks associated with unpatched vulnerabilities in network security appliances and the importance of timely and transparent disclosure practices.

Open in new tab

W3 Total Cache WordPress Plugin Command Injection Vulnerability

A critical unauthenticated command injection vulnerability (CVE-2025-9501) in the W3 Total Cache WordPress plugin allows attackers to execute arbitrary PHP commands on the server by posting a malicious comment. The flaw affects versions prior to 2.8.13 and is actively being exploited. The developer released a patch on October 20, but hundreds of thousands of websites remain vulnerable. A proof-of-concept exploit is scheduled for public release on November 24.

Open in new tab

Post SMTP Plugin Vulnerability Exploited to Hijack WordPress Admin Accounts

A critical vulnerability in the Post SMTP WordPress plugin, tracked as CVE-2025-11833, is being actively exploited to hijack administrator accounts. The flaw allows unauthenticated attackers to read logged emails, including password reset messages, leading to account takeover and full site compromise. The vulnerability affects all versions of Post SMTP from 3.6.0 and older, with over 400,000 downloads. The issue was reported on October 11 and patched on October 29. However, as of November 4, at least 210,000 sites remain vulnerable. Exploitation attempts began on November 1, with over 4,500 blocked attempts since then. The Post SMTP plugin is a popular email delivery solution for WordPress. The flaw allows unauthenticated attackers to read arbitrary logged emails, including password reset messages. The vulnerability was reported on October 11 and patched on October 29. However, as of November 4, at least 210,000 sites remain vulnerable. Exploitation attempts began on November 1, with over 4,500 blocked attempts since then.

Open in new tab

Anti-Malware Security and Brute-Force Firewall plugin vulnerability exposes private data

The Anti-Malware Security and Brute-Force Firewall plugin for WordPress, installed on over 100,000 sites, has a vulnerability that allows authenticated subscribers to read arbitrary files on the server, potentially exposing private information. The flaw, tracked as CVE-2025-11705, affects versions 4.23.81 and earlier. The vulnerability stems from missing capability checks in the GOTMLS_ajax_scan() function, which processes AJAX requests using a nonce that attackers can obtain. This oversight allows low-privileged users to read sensitive data, including the wp-config.php configuration file, which stores database credentials. With access to the database, an attacker can extract password hashes, users’ emails, posts, and other private data. The vulnerability was reported to Wordfence by researcher Dmitrii Ignatyev and was patched by the vendor in version 4.23.83, released on October 15, 2025. Wordfence recommends applying the patch to mitigate the risk of exploitation.

Open in new tab

Mass Exploitation Campaign Targets Outdated WordPress Plugins

A widespread campaign is exploiting outdated WordPress plugins GutenKit and Hunk Companion, targeting critical vulnerabilities to achieve remote code execution (RCE). The campaign, which began on October 8, 2025, exploited three critical-severity flaws in the plugins, affecting over 48,000 installs. Attackers use malicious plugins hosted on GitHub to maintain persistence, steal data, and execute commands on compromised sites. Wordfence has blocked nearly 8.8 million exploitation attempts. The vulnerabilities were patched in October and December 2024, but many sites remain unpatched.

Open in new tab