dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

WordPress King Addons Flaw Under Active Attack Lets Hackers Make Admin Accounts

info@thehackernews.com (The Hacker News)
December 3, 2025
A critical security flaw impacting a WordPress plugin known as King Addons for Elementor has come under active exploitation in the wild. The vulnerability, CVE-2025-8489 (CVSS score: 9.8), is a case of privilege escalation that allows unauthenticated attackers to grant themselves administrative privileges by simply specifying the administrator user role during registration. It affects versions
Total
0
Shares
0
0
0
[[{“value”:”

A critical security flaw impacting a WordPress plugin known as King Addons for Elementor has come under active exploitation in the wild.

The vulnerability, CVE-2025-8489 (CVSS score: 9.8), is a case of privilege escalation that allows unauthenticated attackers to grant themselves administrative privileges by simply specifying the administrator user role during registration.

It affects versions from 24.12.92 through 51.1.14. It was patched by the maintainers in version 51.1.35 released on September 25, 2025. Security researcher Peter Thaleikis has been credited with discovering and reporting the flaw. The plugin has over 10,000 active installs.

Cybersecurity

“This is due to the plugin not properly restricting the roles that users can register with,” Wordfence said in an alert. “This makes it possible for unauthenticated attackers to register with administrator-level user accounts.”

Specifically, the issue is rooted in the “handle_register_ajax()” function that’s invoked during user registration. But an insecure implementation of the function meant that unauthenticated attackers can specify their role as “administrator” in a crafted HTTP request to the “/wp-admin/admin-ajax.php” endpoint, allowing them to obtain elevated privileges.

Successful exploitation of the vulnerability could enable a bad actor to seize control of a susceptible site that has installed the plugin, and weaponize the access to upload malicious code that can deliver malware, redirect site visitors to sketchy sites, or inject spam.

Wordfence said it has blocked over 48,400 exploit attempts since the flaw was publicly disclosed in late October 2025, with 75 attempts thwarted in the last 24 hours alone. The attacks have originated from the following IP addresses –

  • 45.61.157.120
  • 182.8.226.228
  • 138.199.21.230
  • 206.238.221.25
  • 2602:fa59:3:424::1

“Attackers may have started actively targeting this vulnerability as early as October 31, 2025, with mass exploitation starting on November 9, 2025,” the WordPress security company said.

Site administrators are advised to ensure that they are running the latest version of the plugin, audit their environments for any suspicious admin users, and monitor for any signs of abnormal activity.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

Brazil Hit by Banking Trojan Spread via WhatsApp Worm and RelayNFC NFC Relay Fraud

December 3, 2025
Next Post

Microsoft Silently Patches Windows LNK Flaw After Years of Active Exploitation

December 3, 2025
Related Posts
4 min

Anthropic Disrupts AI-Powered Cyberattacks Automating Theft and Extortion Across Critical Sectors

Anthropic on Wednesday revealed that it disrupted a sophisticated operation that weaponized its artificial intelligence (AI)-powered chatbot Claude to conduct large-scale theft and extortion of personal data in July 2025. "The actor targeted at least 17 distinct organizations, including in healthcare, the emergency services, and government, and religious institutions," the company said. "
info@thehackernews.com (The Hacker News)
August 27, 2025
Read More
2 min

Apple Warns French Users of Fourth Spyware Campaign in 2025, CERT-FR Confirms

Apple has notified users in France of a spyware campaign targeting their devices, according to the Computer Emergency Response Team of France (CERT-FR). The agency said the alerts were sent out on September 3, 2025, making it the fourth time this year that Apple has notified citizens in the county that at least one of the devices linked to their iCloud accounts may have been compromised as part
info@thehackernews.com (The Hacker News)
September 12, 2025
Read More
2 min

Salesforce Flags Unauthorized Data Access via Gainsight-Linked OAuth Activity

Salesforce has warned of detected "unusual activity" related to Gainsight-published applications connected to the platform. "Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app's connection," the company said in an advisory. The cloud services firm said it has taken the step of revoking all active access and refresh
info@thehackernews.com (The Hacker News)
November 21, 2025
Read More