CVE-2025-8489

Name of the Vulnerable Software and Affected Versions King Addons for Elementor versions 24.12.92 through 51.1.14 ShopLentor WordPress Plugin (affected versions not specified)

Description King Addons for Elementor, a WordPress plugin, has a critical privilege escalation issue (CVE-2025-8489) that allows unauthenticated attackers to register as administrator-level users. This is due to insufficient restrictions on user roles during the registration process. Approximately 50,000 exploit attempts have been observed since the vulnerability became actively exploited. Attackers can exploit this flaw by manipulating the registration process to assign themselves administrative privileges, potentially leading to full site takeover, malware injection, or defacement. The user role parameter is exploited during registration.

ShopLentor WordPress Plugin has a path traversal issue that allows unauthenticated attackers to execute arbitrary PHP code on the server. The vulnerability is related to the improper handling of file loading through the /api/v1/login endpoint.

Recommendations King Addons for Elementor versions 24.12.92 through 51.1.14: Update the plugin to version 51.1.35 or later. ShopLentor WordPress Plugin: At the moment, there is no information about a newer version that contains a fix for this vulnerability.