A critical security flaw tracked as CVE-2025-8489 and rated 9.8 on the CVSS scale is being actively exploited in the wild against the WordPress plugin King Addons for Elementor. The vulnerability allows unauthenticated actors to gain administrative privileges by specifying the administrator role during registration, and affects versions from 24.12.92 through 51.1.14. The maintainers released a fix in version 51.1.35 on September 25, 2025, and the issue was credited to researcher Peter Thaleikis; the plugin has more than 10,000 active installs.
The flaw is rooted in an insecure implementation of the handle_register_ajax() function that runs during user registration. Security firm Wordfence said attackers can craft an HTTP request to the /wp-admin/admin-ajax.php endpoint that specifies the role as ‘administrator’, resulting in elevated privileges for the registering account.
Successful exploitation can allow an attacker to seize control of a compromised site and use that access to upload malicious code, redirect visitors to other sites, or inject spam, among other actions that threaten site integrity and visitor safety.
Wordfence reported it has blocked more than 48,400 exploit attempts since the vulnerability was publicly disclosed in late October 2025, including 75 attempts in the last 24 hours. The company listed originating IP addresses as 45.61.157.120, 182.8.226.228, 138.199.21.230, 206.238.221.25 and 2602:fa59:3:424::1, and said attackers may have begun targeting the flaw as early as October 31, 2025, with mass exploitation starting on November 9, 2025.
Site administrators are advised to ensure installations are updated to the patched version 51.1.35, audit environments for any unexpected administrator accounts, and monitor logs and site activity for signs of compromise. The affected version range and the patch date are reported by the plugin maintainers and security researchers.