The WordPress plugin King Addons for Elementor, widely used with over 10,000 active installations, contains a critical privilege escalation vulnerability identified as CVE-2025-8489 with a CVSS score of 9.8. The flaw resides in the handle_register_ajax() function, which processes user registrations via AJAX calls to /wp-admin/admin-ajax.php. Due to improper role restriction checks, unauthenticated attackers can specify the 'administrator' role during registration, thereby creating accounts with full administrative privileges without any authentication or user interaction. This vulnerability affects plugin versions from 24.12.92 through 51.1.14 and was patched in version 51.1.35 released on September 25, 2025. Since public disclosure in late October 2025, active exploitation has been observed, with Wordfence reporting over 48,400 blocked attempts and ongoing attacks from multiple IP addresses. Exploiting this flaw allows attackers to fully compromise affected WordPress sites, enabling them to upload malicious code, redirect traffic, inject spam, or conduct further attacks. The vulnerability’s root cause is an insecure implementation of role assignment during registration, making it trivial for attackers to escalate privileges. The plugin’s widespread use and the critical nature of the flaw make it a significant threat to WordPress-based websites worldwide.

For European organizations, this vulnerability poses a severe risk to the confidentiality, integrity, and availability of WordPress-based websites and services. Compromise of administrative accounts can lead to complete site takeover, data breaches, defacement, malware distribution, and loss of customer trust. Organizations relying on King Addons for Elementor for their web presence or e-commerce platforms may face operational disruption, reputational damage, and potential regulatory consequences under GDPR if personal data is exposed. The ease of exploitation without authentication or user interaction increases the likelihood of successful attacks. Additionally, attackers can leverage compromised sites as footholds for lateral movement or to launch further attacks against internal networks. Given the active exploitation and volume of attack attempts, European entities using vulnerable plugin versions are at immediate risk and must act swiftly to mitigate exposure.

European organizations should immediately verify the version of King Addons for Elementor installed on their WordPress sites and upgrade to version 51.1.35 or later, where the vulnerability is patched. Conduct a thorough audit of all user accounts to identify and remove any unauthorized administrator accounts created since October 2025. Implement enhanced monitoring and logging on WordPress admin endpoints, especially /wp-admin/admin-ajax.php, to detect suspicious registration attempts specifying elevated roles. Employ web application firewalls (WAFs) with rules to block or rate-limit suspicious AJAX registration requests. Restrict access to WordPress admin endpoints by IP where feasible, and enforce multi-factor authentication (MFA) for all administrator accounts to reduce impact if compromise occurs. Regularly review plugin and theme updates and subscribe to security advisories for timely patching. Finally, conduct post-incident forensic analysis if compromise is suspected to identify and remediate any backdoors or malicious code.