CVE-2025-8489: 
WordPress vulnerability analysis and mitigation

The King Addons for Elementor plugin for WordPress contains a critical privilege escalation vulnerability (CVE-2025-8489) affecting versions 24.12.92 to 51.1.14. The vulnerability was discovered on October 30, 2025, and publicly disclosed on October 31, 2025. This security flaw allows unauthenticated attackers to register themselves with administrator-level user accounts due to improper role restriction during the registration process (NVD, SecurityOnline).

The vulnerability has been assigned a Critical severity rating with a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw stems from a basic coding oversight within the plugin's registration functionality, where the plugin fails to properly validate and restrict user roles during the registration process. An attacker can exploit this by simply adding the role parameter (user_role=administrator) when registering a new account (SecurityOnline).

The vulnerability allows unauthenticated attackers to gain full administrative access to affected WordPress websites. Once an attacker registers as an administrator, they have complete control over the website, including the ability to install malicious plugins, modify content, and conduct further attacks. This represents a severe security risk for the over 10,000 active WordPress installations using the affected plugin (SecurityOnline).

Website administrators using the King Addons for Elementor plugin are strongly advised to update immediately to version 51.1.35 or later, which contains the security patch for this vulnerability. This update properly restricts the user roles that can be assigned during registration (SecurityOnline).