On July 24th, 2025, we received a submission for a Privilege Escalation vulnerability in King Addons for Elementor, a WordPress plugin with more than 10,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by specifying the administrator user role during registration. The vendor released the patched version on September 25th, 2025, and we originally disclosed this vulnerability in the Wordfence Intelligence vulnerability database on October 30th, 2025. Our records indicate that attackers started exploiting the issue the next day, on October 31st, 2025. The Wordfence Firewall has already blocked over 48,400 exploit attempts targeting this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on August 4, 2025. Sites using the free version of Wordfence received the same protection after the standard 30-day delay on September 3, 2025.
Considering this vulnerability is under active attack, we urge users to ensure their sites are updated with the latest patched version of King Addons for Elementor, version 51.1.35 at the time of this writing, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due to the plugin not properly restricting the roles that users can register with. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.
Vulnerability Details
Examining the code reveals that the plugin uses the handle_register_ajax() function in the Login_Register_Form_Ajax class to handle registration, with the following code snippets:
// Additional fields - moved user_role here to fix undefined variable error
$user_role = isset($_POST['user_role']) ? sanitize_text_field($_POST['user_role']) : 'subscriber';
(line 158)
// Set user role if provided
if (!empty($user_role) && $user_role !== 'subscriber') {
$user_data['role'] = $user_role;
}
$user_id = wp_insert_user($user_data);
Unfortunately, this function was implemented insecurely, allowing unauthenticated attackers to specify their role without any restrictions, which means they could grant themselves the administrator role.
As with any Privilege Escalation vulnerability, this vulnerability can be used for a complete site compromise. Once an attacker has gained administrative user access to a WordPress site, they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors. Additionally, they could modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.
A Closer Look at the Attack Data
The following data highlights actual exploit attempts from threat actors targeting this vulnerability.
Example attack request
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: [redacted] Content-Type: application/x-www-form-urlencoded action=king_addons_user_register&nonce=794bfba24f&username=[redacted]&email=[redacted]%40nxploit.me&password=[redacted]&confirm_password=[redacted]&user_role=administrator&terms_required=no
Wordfence Firewall
The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.
Total Number of Exploits Blocked
The Wordfence Firewall has blocked over 48,400 exploit attempts since the vulnerability was publicly disclosed.
According to our data, attackers started targeting websites the day after the vulnerability was publicly disclosed, on October 31st. We also detected and blocked a large number of exploit attempts on November 9th and November 10th.
Top Offending IP Addresses
The following IP Addresses are currently the most actively engaged IP addresses targeting the King Addons for Elementor plugin registration function:
- 45.61.157.120
- Over 28900 blocked requests.
- 2602:fa59:3:424::1
- Over 16900 blocked requests.
- 182.8.226.228
- Over 300 blocked requests.
- 138.199.21.230
- Over 100 blocked requests.
- 206.238.221.25
- Over 100 blocked requests.
Indicators of Compromise
One obvious sign of infection to look for are newly added malicious administrator accounts.
We also recommend reviewing log files for any requests originating from the following IP addresses:
- 45.61.157.120
- 2602:fa59:3:424::1
- 182.8.226.228
- 138.199.21.230
- 206.238.221.25
The absence of any such log entries does not guarantee that your website has not been compromised. We recommend doing a thorough review if you see any abnormal activity or accounts on your site, and you are running a vulnerable version of the software.
Conclusion
In today’s article, we covered the attack data for a critical-severity vulnerability in the King Addons for Elementor plugin that allows unauthenticated attackers to grant themselves administrative privileges by specifying a user role during registration. Our threat intelligence indicates that attackers may have started actively targeting this vulnerability as early as October 31st, 2025 with mass exploitation starting on November 9th, 2025. The Wordfence firewall has already blocked over 48,400 exploit attempts targeting this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on August 4, 2025. Sites using the free version of Wordfence received the same protection after the standard 30-day delay on September 3, 2025.
Even if you have already received a firewall rule for this issue we urge you to ensure that your site is updated to at least version 51.1.35 in order to maintain normal functionality. If you have friends or colleagues running King Addons for Elementor, be sure to forward this advisory to them, as thousands of sites could still be unprotected and unpatched.
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.
The post Attackers Actively Exploiting Critical Vulnerability in King Addons for Elementor Plugin appeared first on Wordfence.