If you're running King Addons for Elementor, stop what you're doing and deal with this now. Not tomorrow. Not after lunch. Now.
A critical vulnerability (CVE-2025-8489, CVSS 9.8 out of 10) lets anyone on the internet create a full admin account on your WordPress site. No password needed. No authentication. One crafted request and they've got the keys to everything.
Wordfence has logged over 48,400 attack attempts since late October, and fresh waves are still hitting sites daily. If you haven't patched, you're on borrowed time.
What's Happening Right Now
The timeline tells you how fast this escalated:
| Date | Event | Impact |
|---|---|---|
| 24 Jul 2025 | Vulnerability discovered | Peter Thaleikis reports flaw to vendor |
| 25 Sep 2025 | Patch released (v51.1.35) | Fix available but adoption is slow |
| 30 Oct 2025 | Public disclosure | Details published, exploit window opens |
| 31 Oct 2025 | Active exploitation begins | Attacks start within 24 hours |
| 9-10 Nov 2025 | Mass exploitation campaign | Attack volume spikes sharply |
| 4 Dec 2025 | Ongoing attacks | 48,400+ attempts logged, new waves daily |
The plugin has over 10,000 active installations, and WordPress.org stats show a worrying number of sites still running insecure versions. Automated bots are creating fake admin users, dropping backdoors, and taking full control before site owners even notice.
"The Wordfence Threat Intelligence team has been tracking exploitation attempts targeting CVE-2025-8489 in King Addons for Elementor. We have blocked over 48,400 attacks targeting this vulnerability."
- Wordfence Threat Intelligence
When Wordfence publishes numbers like that, it grabs your attention. I've been running hosting infrastructure since 2001, and the pattern here is familiar: a disclosed vulnerability, slow patching, fast exploitation. The gap between "patch available" and "most sites updated" is where the damage happens. Every time.
How the Hack Actually Works
The vulnerability sits in King Addons' registration handler. When someone registers for an account on your site, the plugin is supposed to restrict what role they get. Subscriber, contributor, that sort of thing.
Except King Addons forgot to enforce those restrictions.
An attacker sends a POST request to /wp-admin/admin-ajax.php with a user_role parameter set to administrator. And the plugin just accepts it. No validation. No "hang on, should we be letting random people do this?"
It's the digital equivalent of a bouncer at a club accepting a Post-it note that says "VIP" as genuine ID.
Once they've got admin access:
- Upload malicious files or backdoors for persistent access
- Inject spam or malware into your content
- Redirect visitors to phishing sites
- Steal customer data or payment information
- Hold your site hostage
Which Versions Are Affected?
| Version Range | Status | Action |
|---|---|---|
| 24.12.92 to 51.1.14 | VULNERABLE | Update immediately to 51.1.35+ |
| 51.1.35 and later | Patched | Still audit users and enable security |
How to Check If You've Already Been Hit
Before fixing anything, work out if you're already dealing with a compromise.
1. Audit Your User Accounts
Go to Users > All Users and filter by Administrator role. Look for accounts created after 30th October 2025 (when exploitation started), email addresses you don't recognise, and usernames that look randomly generated like "admin12345" or "wpuser8472".
2. Check Your Upload Directories
Have a proper look through /wp-content/uploads/ for PHP files that shouldn't be there. Attackers hide backdoors in upload folders because they're often overlooked.
3. Review File Changes
Check your hosting control panel for unexpected file modifications. At 365i, our monitoring flags these automatically, but if you're on basic hosting you'll need to check manually.
4. Look at Server Logs
Check for repeated POST requests to /wp-admin/admin-ajax.php from unknown IP addresses. Wordfence data shows attack traffic coming primarily from IPs like 45.61.157.120 and 2602:fa59:3:424::1, each responsible for tens of thousands of blocked attempts.
If you find anything suspicious: revoke admin access for dodgy accounts immediately, change all passwords, and consider putting your site into maintenance mode while you sort things out.
Five Things You Need to Do Right Now
| Priority | Action | Time | Difficulty |
|---|---|---|---|
| 1 | Update King Addons to v51.1.35+ | 2-5 min | Easy |
| 2 | Audit all user accounts | 5-15 min | Easy |
| 3 | Install WAF (Wordfence or Sucuri) | 5-10 min | Medium |
| 4 | Enable 2FA for admin accounts | 10-15 min | Easy |
| 5 | Set up backups and monitoring | 10-20 min | Medium |
Total time to secure your site: 30 to 65 minutes.
1. Update King Addons Immediately
Non-negotiable. The patch shipped on 25th September. If you're running anything older than 51.1.35, you're exposed.
- Log into your WordPress dashboard
- Go to Plugins > Installed Plugins
- Find "King Addons for Elementor"
- Click "Update Now" if available
- Confirm the version number shows 51.1.35 or higher
If you don't see an update but you're on an older version, delete and reinstall from the official WordPress repository.
2. Audit All User Accounts
Even if you've patched, attackers might have created admin accounts before your update. Go through every user on your site. For each account, ask: do I recognise this person? When was it created? Does their role make sense?
Anything suspicious gets deleted. Anything uncertain with admin privileges gets demoted to subscriber until you can verify it. Then force a password reset for all legitimate users.
3. Get a Web Application Firewall Running
A WAF blocks exploit attempts at the network level before they reach WordPress.
Wordfence Security (free version works well) has been blocking King Addons exploits automatically since early August for premium users, September for free users. Install it, run the setup wizard, enable real-time threat protection, and schedule daily malware scans.
Sucuri Security is another solid free option with good scanning and monitoring. Either will do the job.
4. Enable Two-Factor Authentication
2FA adds a second layer so that even if an account gets compromised through a different vulnerability later, attackers still need your phone or authenticator app. Set it up for all admin and editor roles.
Don't skip this because it feels inconvenient. You know what's really inconvenient? Spending three days cleaning up a hacked site.
5. Sort Out Backups and Monitoring
Daily automated backups, stored off-site (Google Drive, Dropbox), with at least 30 days of history. Test your restore process monthly because a backup you can't restore is worthless.
At 365i, monitoring and automated backups are built into our WordPress hosting platform. We've caught several compromise attempts purely because alerts fired when dodgy accounts got created. If you're on basic shared hosting without monitoring, it's worth considering an upgrade. The cost difference between budget hosting and managed WordPress hosting is usually less than £20 a month.
Should You Ditch King Addons?
The vulnerability is patched in 51.1.35, so updating makes you safe from this specific issue. But this was a basic security oversight: not validating user roles during registration. That's Security 101.
"Plugin security isn't just about fixing bugs as they appear. It's about development practices that prevent entire categories of vulnerability. Input validation, capability checks, and nonce verification should be non-negotiable in any WordPress plugin handling user data."
- WordPress Plugin Security Documentation
That's from the official WordPress plugin security documentation, and it's exactly right. The fact that King Addons shipped without basic role validation suggests their development practices need work. I've seen too many plugins that treat security as an afterthought, and the people who pay the price are always the site owners.
If you're heavily invested in King Addons, update and secure. If you're building new sites, consider alternatives like JetEngine by Crocoblock, which has a better security track record and active development community. Migration from King Addons is doable: export Elementor widgets and reimport. Budget 2-4 hours for a mid-sized site.
Don't Wait. Sort This Out Today.
Block out 30 minutes this afternoon. Update the plugin, audit your users, get a WAF running, enable 2FA, sort out your backups. It's not glamorous work, but it's the kind of thing that lets you sleep at night.
If you're running multiple sites or this all feels overwhelming, that's exactly why managed WordPress hosting exists. We handle security monitoring, updates, and incident response so you can focus on building things instead of firefighting hacks.
And if you do discover you've been compromised? Don't panic. Shut things down, restore from a clean backup, change all passwords, and learn from it. We all make mistakes. The key is not making the same one twice.
For more on keeping your WordPress site safe, our guide to the WordPress 6.9 plugin issues covers how to handle updates safely.
Frequently Asked Questions
What is CVE-2025-8489 and how serious is it?
CVE-2025-8489 is a critical privilege escalation vulnerability in King Addons for Elementor with a CVSS score of 9.8 out of 10. It lets unauthenticated attackers create administrator accounts on WordPress sites without credentials, leading to complete site takeover. It's been actively exploited since 31st October 2025.
Which versions of King Addons are affected?
Versions 24.12.92 through 51.1.14 are vulnerable. The fix shipped in version 51.1.35 on 25th September 2025. Update to at least this version immediately.
How can I tell if my site has been compromised?
Check for admin accounts created after 30th October 2025 with unfamiliar emails or random usernames. Look for PHP files in your uploads directory. Review server logs for repeated POST requests to admin-ajax.php from unknown IPs.
What can attackers do with this vulnerability?
With admin access, attackers can upload malware, inject spam, redirect visitors to phishing sites, steal customer data, and take complete control of your WordPress installation. They often install backdoors for persistent access even after the plugin is updated.
How quickly do I need to update?
Today. The vulnerability has been under active mass exploitation since early November 2025, with 48,400+ attack attempts logged by Wordfence. Every day you delay increases the chance of compromise.
Is updating King Addons enough to secure my site?
Updating patches the vulnerability, but doesn't undo existing damage. You still need to audit user accounts for rogue admins, check for backdoors in your uploads directory, install a WAF, enable 2FA, and set up proper backups and monitoring.
Should I remove King Addons entirely?
If you're heavily invested, updating and securing is your best option. For new projects, alternatives like JetEngine by Crocoblock have better security track records. Migration takes 2-4 hours for a mid-sized site.
Can my hosting provider help with this?
Good managed WordPress hosts include security monitoring, automated backups, and incident response. At 365i, we flag suspicious account creation automatically and can help with cleanup. Budget hosting typically doesn't include these protections.
WordPress Security Shouldn't Keep You Up at Night
Our managed WordPress hosting includes security monitoring, automated backups, and expert support when things go wrong. Focus on your business, not firefighting hacks.
Explore Secure HostingPublished: · Last reviewed: · Written by: Mark McNeece, Founder & Managing Director, 365i
Editorially reviewed by: Mark McNeece on · Our editorial standards
