- King Addons plugin had two critical flaws enabling full WordPress site takeover
- Bugs allowed unauthenticated file uploads and privilege escalation via registration endpoint
- Users must update to version 51.1.37 to patch both vulnerabilities
King Addons for Elementor, a commercial WordPress plugin that extends the Elementor page builder with extra website builder widgets, templates, and design features, carried two critical-level vulnerabilities that allowed threat actors to fully take over vulnerable websites, experts have warned.
In a new security advisory, Patchstack detailed two bugs: an unauthenticated arbitrary file upload flaw (CVE-2025-6327), and a privilege escalation via registration endpoint flaw (CVE-2025-6325). The former has a severity score of 10/10 (critical), while the latter 9.8/10 (also critical).
Both bugs let a threat actor turn a vulnerable WordPress website into a beachhead. They can get code, or accounts, onto the site, and use them to execute actions that lead to full site compromise, or data theft.
Patching the bugs
Site admins using the “King Addons Login | Register Form” widgets should make sure to update the plugin to version 51.1.37 as soon as possible, since this patch fixes both vulnerabilities and mitigates potential site takeover risks.
“Both vulnerabilities are trivially exploitable under common configurations and require no authentication,” Patchstack warned. “Immediate patching is strongly recommended.”
Infosecurity Magazine says the vendor addressed the vulnerabilities across two versions, by introducing a role allowlist and input sanitization, as well as an upload handler that now requires proper permission and enforces strict file type validation.
King Addons for Elementor is a popular plugin with more than 10,000 active users. It provides more than 70 widgets, more than 650 templates, and more than 4,000 page sections, helping users build their websites without extensive coding knowledge.
Discovering critical vulnerabilities in WordPress add-ons and themes is nothing new.
Third-party extensions to the platform are the most common ways cybercriminals compromise and take over WordPress websites, which is why users are always advised to only keep the add-ons they use, and to make sure they are always updated to the latest versions.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
