Critical Vulnerabilities Detected in the King Addons Plugin
- King Addons plugin harbors two significant flaws that permit complete WordPress site takeovers.
- Malfunctions facilitate unauthenticated file uploads and privilege elevation through the registration endpoint.
- Users must upgrade to version 51.1.37 to rectify both vulnerabilities.
The King Addons plugin for Elementor, a commercial utility that augments the Elementor page builder with an array of widgets, templates, and design enhancements, has been found to possess two critical vulnerabilities that could enable unauthorized actors to fully commandeer affected websites.
A recent security advisory disseminated by Patchstack elaborated on two vulnerabilities: an unauthenticated arbitrary file upload flaw (CVE-2025-6327) and a privilege escalation vulnerability via the registration endpoint (CVE-2025-6325).
The former is rated with a severity score of 10/10, while the latter garners a score of 9.8/10, both classified as critical.
These vulnerabilities provide an entry point, allowing malicious actors to infiltrate vulnerable WordPress sites, upload harmful code or accounts, and execute actions that may culminate in complete site compromise or the exfiltration of sensitive data.
According to Infosecurity Magazine, the vendor has addressed the vulnerabilities through two updates, implementing a role allowlist and input sanitization measures alongside an upload handler that mandates appropriate permissions and rigorous file type validation.
Patching the Vulnerabilities
Administrators utilizing the “King Addons Login | Register Form” widgets are strongly urged to update the plugin to version 51.1.37 without delay, as this patch effectively addresses both vulnerabilities and mitigates risks associated with potential site takeovers.
Patchstack cautions, “Both vulnerabilities are easily exploitable under typical configurations and require no authentication. Immediate remediation is highly advisable.”
King Addons for Elementor enjoys popularity among users, boasting over 10,000 active installations. The plugin offers more than 70 widgets, upwards of 650 templates, and over 4,000 page sections, facilitating website construction without necessitating extensive coding proficiency.
The discovery of critical vulnerabilities in WordPress extensions and themes is not uncommon. Third-party plugins remain a prevalent method for cybercriminals to compromise and seize control of WordPress sites, leading to the ongoing recommendation that users retain only essential plugins and ensure they maintain updated versions.
Source link: Tech.yahoo.com.
