CVE-2025-8489
Published: 31 October 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-8489 is a privilege escalation vulnerability in the King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress, affecting versions 24.12.92 through 51.1.14. The flaw arises because the plugin does not properly restrict the user roles available during registration, mapped to CWE-269 (Improper Privilege Management). This was published on 2025-10-31 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By leveraging the plugin's registration functionality, they can create new user accounts with administrator privileges, gaining full control over the affected WordPress site, including the ability to modify content, manage users, install plugins, and alter configurations.
Patched versions address the issue, as evidenced by code changes in the plugin's Login_Register_Form_Ajax.php file: line 353 in tag 24.12.93 and line 160 in tag 51.1.35. The Wordfence threat intelligence advisory provides additional details on the vulnerability and recommends updating to these or later versions for mitigation.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an unauthenticated privilege escalation in a public-facing WordPress plugin, directly exploited via T1190 (Exploit Public-Facing Application) to gain administrator privileges, aligning with T1068 (Exploitation for Privilege Escalation).