King Addons plugin exposed by two critical vulnerabilities, risking complete WordPress site takeover.
Issues facilitated unauthorized file uploads and privilege elevation through registration endpoints.
Users are urged to upgrade to version 51.1.37 to rectify the vulnerabilities.
King Addons for Elementor, a commercial WordPress plugin augmenting the Elementor page builder with a plethora of website development widgets and templates, has been discovered to harbor two significant vulnerabilities, alarmingly permitting cybercriminals a full takeover of affected sites.
A recent advisory by Patchstack delineated two identified flaws: the unauthenticated arbitrary file upload vulnerability (CVE-2025-6327) and privilege escalation via the registration endpoint (CVE-2025-6325). The former is rated with a critical severity score of 10/10, while the latter garners a score of 9.8/10.
These vulnerabilities confer upon malicious actors the ability to transform a susceptible WordPress website into a launchpad for further attacks, facilitating unauthorized code execution or data theft.
Patching the vulnerabilities
Administrators utilizing the “King Addons Login | Register Form” widgets must promptly update the plugin to version 51.1.37, as this patch addresses both vulnerabilities and significantly diminishes the risk of a site takeover.
Patchstack has cautioned that “both vulnerabilities are trivially exploitable under standard configurations, necessitating no authentication.” Immediate remediation is highly advised.
According to Infosecurity Magazine, the vendor has amended the vulnerabilities through two updates by instituting a role allowlist and enhanced input sanitization, alongside an upload handler demanding proper permissions and enforcing stringent file type validation.
King Addons for Elementor enjoys popularity with over 10,000 active users, offering an impressive array of more than 70 widgets, over 650 templates, and in excess of 4,000 page sections, facilitating users in crafting websites with minimal coding expertise.
Identifying critical vulnerabilities in WordPress plugins and themes is a recurrent concern. Third-party enhancements remain the predominant vector through which cybercriminals infiltrate and seize control of WordPress sites, underscoring the necessity for users to maintain a streamlined selection of add-ons and consistently update them to the most current versions.
Source link: Techradar.com.
