A critical security flaw in a popular WordPress add-on for Elementor is now being actively exploited, allowing attackers to create administrator accounts on vulnerable sites. The vulnerability, tracked as CVE-2025-8489, affects the King Addons for Elementor plugin, which is installed on around 10,000 websites.
The issue was disclosed publicly on October 30, and attackers began exploiting it within 24 hours. According to Defiant, the company behind the Wordfence security scanner, more than 48,400 attacks have already been blocked.
The flaw was discovered by security researcher Peter Thaleikis, who found that the plugin’s registration handler allows anyone signing up to choose their own user role. This means an attacker can simply send a crafted request and set their account role to “administrator” during registration.
Wordfence has observed attackers abusing admin-ajax.php to pass user_role=administrator and instantly gain full control of a site. Two IP addresses are responsible for the majority of attempts so far: 45.61.157.120 and 2602:fa59:3:424::1, with tens of thousands of exploit attempts coming from these sources alone.
Website owners using King Addons are strongly urged to update to version 51.1.35, which was released on September 25 and contains the patch. Security teams also recommend checking logs for suspicious IP addresses and looking for unknown admin accounts. If any are found, the site should be treated as compromised.
However, this is not the only serious WordPress plugin issue this month. Wordfence has also issued a warning about a second critical flaw, this time in the widely used Advanced Custom Fields: Extended plugin, installed on more than 100,000 sites. The vulnerability, tracked as CVE-2025-13486, allows unauthenticated attackers to execute code remotely.
The flaw stems from a function that accepts user input and passes it to call_user_func_array(), enabling attackers to run arbitrary code on the server. This can lead to backdoor installation or the creation of new admin users. The issue was responsibly reported by Marcin Dudek, head of Poland’s national CERT.
The developer fixed the problem quickly and released version 0.9.2 on November 19. But now that details are public, exploitation attempts are expected to rise.
As always, WordPress site owners should update immediately and consider disabling vulnerable plugins until patches are applied. Both vulnerabilities highlight how third-party add-ons remain one of the biggest security risks for WordPress websites, especially when flaws are disclosed before many site owners have updated.
