- The King Addons plugin had two critical bugs that allowed the full takeover of the WordPress site
- Bugs allowed unauthorized file uploads and privilege escalation via registry endpoint
- Users should update to version 51.1.37 to fix both vulnerabilities
King Addons for Elementor, a commercial WordPress plugin that extends the Elementor page builder with additional website builder widgets, templates and design features, carried two critical-level vulnerabilities that allowed threat actors to fully take over vulnerable websites, experts have warned.
In a new security advisory, Patchstack described two flaws: an unauthorized arbitrary file upload flaw (CVE-2025-6327) and a privilege escalation via registry endpoint flaw (CVE-2025-6325). The former has a difficulty of 10/10 (critical), while the latter 9.8/10 (also critical).
Both flaws let a threat actor turn a vulnerable WordPress site into a beachhead. They can get code or accounts into the site and use them to perform actions that lead to complete site compromise or data theft.
Patching the bugs
Website administrators using the “King Addons Login | Register Form” widgets should make sure to update the plugin to version 51.1.37 as soon as possible, as this patch both fixes vulnerabilities and mitigates potential website takeover risks.
“Both vulnerabilities are trivially exploitable under common configurations and require no authentication,” Patchstack warned. “Immediate patching is strongly recommended.”
Information security Magazine says the vendor addressed the vulnerabilities across two versions by introducing a role permission list and input sanitization, as well as an upload handler that now requires proper permission and enforces strict file type validation.
King Addons for Elementor is a popular plugin with more than 10,000 active users. It provides more than 70 widgets, more than 650 templates and more than 4,000 page sections that help users build their websites without extensive coding knowledge.
Discovering critical vulnerabilities in WordPress plugins and themes is nothing new.
Third-party extensions to the platform are the most common ways cybercriminals compromise and take over WordPress sites, so users are always advised to keep only the plugins they use and ensure they are always updated to the latest versions.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
