- The King Addons plugin had two essential flaws that allowed the WordPress website to be utterly taken over
- Bugs allowed unauthenticated file uploads and privilege escalation by way of registry endpoint
- Users should replace to model 51.1.37 to patch each vulnerabilities.
King Addons for Elementor, a business WordPress plugin that extends the Elementor web page builder with further widgets, templates, and design options for the web site builder, had two critical-level vulnerabilities that allowed menace actors to utterly take over susceptible web sites, consultants warned.
In a brand new safety advisory, Patchstack detailed two bugs: a flaw in unauthenticated arbitrary file add (CVE-2025-6327) and privilege escalation by way of a flaw within the registration endpoint (CVE-2025-6325). The former has a severity rating of 10/10 (essential), whereas the latter 9.8/10 (additionally essential).
Both bugs allowed a menace actor to show a susceptible WordPress web site right into a beachhead. They can introduce code or accounts to the location and use it to execute actions that lead to an entire compromise of the location or information theft.
Patching the bugs
Site directors utilizing the “King Addons Login | Registration Form” widgets ought to guarantee they replace the plugin to model 51.1.37 as quickly as attainable, as this patch fixes each vulnerabilities and mitigates potential website takeover dangers.
“Both vulnerabilities are trivially exploitable in frequent configurations and don’t require authentication,” Patchstack warned. “Immediate patching is strongly advisable.”
Infosecurity Magazine says the seller addressed the vulnerabilities in two variations, introducing a listing of allowed roles and enter sanitization, in addition to an add handler that now requires correct permission and enforces strict file sort validation.
King Addons for Elementor is a well-liked addon with over 10,000 lively customers. It offers 70+ widgets, 650+ templates, and 4000+ web page sections, serving to customers create their web sites with out intensive coding data.
Discovering essential vulnerabilities in WordPress plugins and themes is nothing new.
Third-party platform extensions are the commonest methods cybercriminals compromise and take over WordPress web sites, so customers are at all times suggested to solely maintain the plugins they use and guarantee they’re at all times up to date to the most recent variations.
