Listen to this Post

WordPress site owners using the King Addons plugin for Elementor face urgent security risks following the discovery of two critical vulnerabilities that could allow attackers to seize full control of their websites. King Addons, a widely-used extension that enhances Elementor with features like contact forms, sliders, pricing tables, and login workflows, is installed on over 10,000 sites worldwide. Recent research from cybersecurity firm Patchstack revealed severe flaws that demand immediate attention from site administrators.
Summary of the Vulnerabilities
King Addons suffers from two major unauthenticated vulnerabilities that pose a direct threat to site security: an arbitrary file upload flaw (CVE-2025-6327) and a privilege escalation vulnerability via the registration endpoint (CVE-2025-6325). The file upload issue arises from an AJAX handler that exposes a nonce to all visitors through localized script data. This allows attackers to trigger the upload function without authentication, bypassing security controls. Compounding the problem, the file validation process fails because the file_validity() method returns a non-empty string instead of false for disallowed file types, and the allowed_file_types parameter can be manipulated to accept unauthorized files into the wp-content/uploads/king-addons/forms/ directory.
The privilege escalation vulnerability occurs via a registration handler that accepts client-supplied user roles. When site registration is enabled and the King Addons Register widget is active, an attacker could send a POST request with action=king_addons_user_register and user_role=administrator, thereby creating a fully privileged admin account. Both vulnerabilities are trivially exploitable without any authentication, meaning any visitor could compromise the site if left unpatched.
King Addons has addressed these vulnerabilities in two updated releases. Key fixes include implementing a role allowlist and input sanitization to restrict new accounts to safe roles like subscriber or customer, and updating the upload handler to require proper permissions (upload_files) along with strict file type validation. Administrators are advised to check whether the “King Addons Login | Register Form” widget is in use and to update the plugin to version 51.1.37 immediately. The patched versions mitigate the risk of full site takeover.
What Undercode Say: Deep Analysis
These vulnerabilities illustrate a broader concern in WordPress plugin security: the balance between feature richness and secure coding practices. Plugins like King Addons aim to simplify site building with dynamic functionality, but complexity often increases the attack surface. The AJAX file upload flaw underscores a common mistake in WordPress plugin development—exposing sensitive nonces to unauthenticated users. Nonces are meant to prevent unauthorized actions, yet improper exposure effectively nullifies this protection, allowing attackers to place malicious files anywhere within web-accessible directories. Such files could be leveraged to execute arbitrary code, plant backdoors, or deploy malware, putting both site owners and visitors at risk.
The privilege escalation issue highlights another recurring weakness: trusting client-supplied input for role assignment. Allowing external users to specify administrator roles is an egregious oversight, reflecting inadequate input validation and insufficient adherence to the principle of least privilege. Attackers exploiting this flaw could gain full administrative access, modify site content, exfiltrate sensitive data, and even manipulate the WordPress database.
From a risk management perspective, these vulnerabilities demonstrate the importance of timely plugin audits and proactive security monitoring. Site administrators often underestimate the exposure posed by inactive widgets or rarely used features. In this case, the “King Addons Login | Register Form” widget alone acted as a gateway for full site compromise. Patchstack’s findings also reveal the critical role of responsible vulnerability disclosure and vendor responsiveness. The vendor’s quick release of patched versions, including enhanced file validation and role restrictions, is commendable. However, the reliance on site owners to implement updates remains a weak link in the security chain.
For enterprise WordPress deployments or high-traffic sites, such vulnerabilities could have severe financial and reputational consequences. Exploited uploads could host ransomware, phishing scripts, or crypto-mining operations, while unauthorized admin creation allows complete site manipulation. Regular vulnerability scans, combined with strict adherence to security best practices—like principle of least privilege, controlled file uploads, and code audits—are non-negotiable. This incident also reinforces the need for continuous monitoring tools and automatic plugin update strategies.
The situation reflects a larger trend in WordPress ecosystem risks: highly popular plugins, despite strong functionality, often carry critical vulnerabilities that remain unnoticed until exploited in the wild. Cybersecurity experts argue that developers must prioritize security reviews during feature expansion, and users must maintain an aggressive patching schedule. Failure to do so risks turning convenient features into pathways for full-scale attacks.
Ultimately, the King Addons vulnerabilities are a wake-up call. Even trusted, widely installed plugins can harbor severe security gaps. Immediate action—updating the plugin, auditing active widgets, and reviewing user role assignment—is essential to prevent compromise. Beyond technical measures, educating site admins about plugin-related risks is crucial to maintaining a secure WordPress environment.
Fact Checker Results
✅ Both vulnerabilities are confirmed and documented by Patchstack.
✅ Exploitation does not require authentication.
❌ No reports of active widespread exploitation at this time.
Prediction
📊 If unpatched, thousands of WordPress sites remain vulnerable to full compromise, including potential malware deployment and admin account takeover. Immediate updates and continuous monitoring will likely become a standard recommendation for all WordPress site owners. Over the next 6–12 months, similar popular Elementor plugins may face increased scrutiny, with developers introducing stricter security frameworks and automated patching alerts. Sites that maintain proactive plugin management will see a substantial reduction in breach risks, while neglected updates could result in escalating attack incidents.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




