Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 4 December 2025 07:46
During the registration process, a critical security flaw (CVE-2025-8489) in the King Addons WordPress Elementor plugin was exploited by attackers, allowing them to gain administrative privileges via a privilege escalation vulnerability.
A third-party add-on called King Addons extends the functionality of Elementor , a popular visual web page builder plugin for WordPress sites. Estimated to be used on approximately 10,000 websites, it provides a range of widgets, templates, and additional features.
Threat activity began on October 31, just one day after the issue was disclosed. So far, the Wordfence security scanner from Defiant, a company that provides security services for WordPress websites, has blocked over 48,400 exploit attempts.
Researchers noticed a spike in exploitation activity between November 9 and 10, with two IP addresses being the most active: 45.61.157.120 (28,900 attempts) and 2602:fa59:3:424::1 (16,900 attempts).
Attackers, according to analysis by Wordfence , make a forged “admin-ajax.php” request to generate accounts with unauthorized administrator privileges on the targeted sites, specifying “user_role=administrator”.
The flaw, identified as CVE-2025-8489 by Peter Thaleikis, resides in the plugin’s registration handler, allowing any registered user to assign themselves any role of their choosing within the website, including administrator, without any restrictions.
Website owners are advised to update to King Addons version 51.1.35 , which addresses the CVE-2025-8489 issue, released on September 25.
Another critical vulnerability in the Advanced Custom Fields Extended plugin, affecting more than 100,000 WordPress websites, has been reported by Wordfence researchers. This flaw could allow an unauthenticated attacker to remotely execute code, jeopardizing the security of affected sites.
The security issue was reported on November 18, and the plugin vendor fixed it in Advanced Custom Fields: Extended version 0.9.2, released one day after receiving the vulnerability report.
Because the vulnerability can be exploited without authentication through a properly structured request, there is a risk that public disclosure of detailed technical information could lead to malicious actions. Website owners are advised to migrate to the latest version as soon as possible or remove the plugin from their sites.
Redazione