Attackers have rapidly begun exploiting a critical-severity privilege escalation vulnerability, tracked as CVE-2025–8489, found in the King Addons for Elementor plugin, which is used on approximately 10,000 WordPress websites. This flaw allows malicious users to obtain administrative permissions simply by manipulating the user registration process. Threat activity commenced almost immediately, on October 31, just one day after the security issue was publicly disclosed. Defiant’s Wordfence security scanner has already registered and blocked a significant volume of exploit attempts, totaling more than 48,400, indicating a widespread and automated targeting of vulnerable sites.
The vulnerability, discovered by researcher Peter Thaleikis, lies specifically within the plugin’s registration handler. It fails to impose any restrictions, allowing anyone signing up to freely specify their user role, including the highly-privileged ‘administrator’ role. Wordfence observations show that attackers are leveraging this by sending a specially crafted ‘admin-ajax.php’ request that includes the parameter ‘user_role=administrator’ to successfully create unauthorized administrative accounts on targeted websites. Exploitation peaked between November 9 and 10, with two IP addresses, 45.61.157.120 and 2602:fa59:3:424::1, responsible for the vast majority of blocked attempts.
To secure their installations against the King Addons vulnerability, website owners must immediately upgrade to version 51.1.35 of the plugin, which contains the fix for CVE-2025–8489 and was released on September 25. Administrators should also proactively search their log files for the offensive IP addresses provided by Wordfence, as well as checking for the unexpected presence of newly created administrative user accounts, which would be a clear indication of a successful compromise.
Separately, Wordfence researchers are issuing a warning about another critical security flaw, CVE-2025-13486, affecting the Advanced Custom Fields: Extended plugin, which is active on over 100,000 WordPress sites. This more severe vulnerability can be exploited by an unauthenticated attacker to remotely execute arbitrary code (RCE). The flaw affects versions 0.9.0.5 through 0.9.1.1 and was responsibly discovered and reported by Marcin Dudek, the head of Poland’s national computer emergency response team (CERT).
The technical root cause of this RCE is the plugin’s use of the function call\_user\_func\_array() which accepts unfiltered user input, making it possible for unauthenticated attackers to execute arbitrary code on the server. This can be exploited to inject backdoors or, similar to the King Addons flaw, create new administrative user accounts. The security issue was reported on November 18, and the vendor swiftly released version 0.9.2 of Advanced Custom Fields: Extended the following day to address it. Given that this RCE can be leveraged without authentication, website owners must update to the latest version as quickly as possible or consider disabling the plugin temporarily to mitigate the high risk of malicious activity following the public disclosure of technical details.
Reference:
