Introduction
Attackers can obtain full administrative access to WordPress sites running King Addons for Elementor by exploiting a privilege escalation flaw in versions 24.12.92 through 51.1.14. This vulnerability allows unauthenticated users to register as administrators, leading to total site compromise if exploited. King Addons for Elementor is a widely used extension for the Elementor page builder, with over 10,000 active installations. The plugin enables users to add widgets, templates, and features to WordPress sites without coding.
Technical Information
The vulnerability is rooted in the plugin's user registration handler, specifically in how it processes the user_role parameter during account creation. The handler is exposed via an AJAX endpoint and is accessible to unauthenticated users when public registration is enabled. In affected versions, the code does not properly restrict which roles can be assigned at registration. Instead, it accepts any role value provided by the client, including 'administrator'.
The vulnerable code pattern is as follows:
if (!empty($user_role) && $user_role !== 'subscriber') { $user_data['role'] = $user_role; } $user_id = wp_insert_user($user_data);
This logic means that if a POST request is sent to /wp-admin/admin-ajax.php with action=king_addons_user_register and user_role=administrator, the plugin will create a new administrator account. No authentication or special privileges are required to exploit this flaw. The only prerequisites are that public registration is enabled and the King Addons registration form is active on the site.
The patched version (51.1.37) introduces an allowlist, restricting registration to the 'subscriber' and 'customer' roles only.
Affected Systems and Versions
- King Addons for Elementor plugin for WordPress
- Versions 24.12.92 through 51.1.14 are vulnerable
- Vulnerability is present when both public registration is enabled and the King Addons registration form is active
Vendor Security History
KingAddons.com has experienced multiple critical vulnerabilities in 2025, including privilege escalation and arbitrary file upload flaws in the same plugin. Patch response time for CVE-2025-8489 was approximately 47 days from initial disclosure to the release of a fix. The vendor's history indicates recurring issues with input validation and privilege management, suggesting limited security maturity in development practices.
