Threat actors have been hacking WordPress websites by exploiting a recent King Addons for Elementor vulnerability, Defiant reports.
Tracked as CVE-2025-8489 (CVSS score of 9.8), the critical-severity bug is described as a privilege escalation issue that allows attackers to obtain administrative privileges.
The vulnerability impacts versions 24.12.92 to 51.1.14. King Addons for Elementor’s maintainers patched the issue in version 51.1.35 of the plugin, which was released on September 25.
Roughly a month later, threat actors started targeting the CVE in attacks, and Defiant has observed roughly 50,000 exploit attempts to date.
The security hole, Defiant explains, exists because the plugin’s function that handles registrations was implemented insecurely.
This allows “unauthenticated attackers to specify their role without any restrictions, which means they could grant themselves the administrator role,” Defiant says.
Successful exploitation of the King Addons for Elementor vulnerability, the WordPress security firm notes, leads to full site compromise, once an attacker has administrator privileges.
By taking over a site, an attacker could upload malicious files or modify content to redirect users to malicious sites.
“Our threat intelligence indicates that attackers may have started actively targeting this vulnerability as early as October 31st, 2025 with mass exploitation starting on November 9th, 2025,” Defiant says.
King Addons for Elementor has over 10,000 active installs. According to WordPress statistics, thousands of websites are still running a vulnerable iteration of the plugin.
Users are advised to update to King Addons for Elementor version 51.1.35 or newer as soon as possible.
Related: Microsoft Silently Mitigated Exploited LNK Vulnerability
Related: Chrome 143 Patches High-Severity Vulnerabilities
Related: Exploited ‘Post SMTP’ Plugin Flaw Exposes WordPress Sites to Takeover
Related: Year-Old WordPress Plugin Flaws Exploited to Hack Websites
