A critical-severity vulnerability in the King Addons for Elementor plugin for WordPress has been exploited to take over websites.
December 3, 2025 By Ionut Arghire
Threat actors have been hacking WordPress websites by exploiting a recent King Addons for Elementor vulnerability, Defiant reports.
Tracked as CVE-2025-8489 (CVSS score of 9.8), the critical-severity bug is described as a privilege escalation issue that allows attackers to obtain administrative privileges.
The vulnerability impacts versions 24.12.92 to 51.1.14. King Addons for Elementor’s maintainers patched the issue in version 51.1.35 of the plugin, which was released on September 25.
Roughly a month later, threat actors started targeting the CVE in attacks, and Defiant has observed roughly 50,000 exploit attempts to date.
The security hole, Defiant explains, exists because the plugin’s function that handles registrations was implemented insecurely.
This allows “unauthenticated attackers to specify their role without any restrictions, which means they could grant themselves the administrator role,” Defiant says.
