Another major WordPress add-on security flaw could affect 10,000 sites - find out if you're affected

News
By published

King Addons for Elementor allowed full WordPress website takeover

WordPress logo on mobile
(Image credit: Shutterstock)
  • King Addons plugin had two critical flaws enabling full WordPress site takeover
  • Bugs allowed unauthenticated file uploads and privilege escalation via registration endpoint
  • Users must update to version 51.1.37 to patch both vulnerabilities

King Addons for Elementor, a commercial WordPress plugin that extends the Elementor page builder with extra website builder widgets, templates, and design features, carried two critical-level vulnerabilities that allowed threat actors to fully take over vulnerable websites, experts have warned.

In a new security advisory, Patchstack detailed two bugs: an unauthenticated arbitrary file upload flaw (CVE-2025-6327), and a privilege escalation via registration endpoint flaw (CVE-2025-6325). The former has a severity score of 10/10 (critical), while the latter 9.8/10 (also critical).

Both bugs let a threat actor turn a vulnerable WordPress website into a beachhead. They can get code, or accounts, onto the site, and use them to execute actions that lead to full site compromise, or data theft.

Patching the bugs

Site admins using the “King Addons Login | Register Form” widgets should make sure to update the plugin to version 51.1.37 as soon as possible, since this patch fixes both vulnerabilities and mitigates potential site takeover risks.

“Both vulnerabilities are trivially exploitable under common configurations and require no authentication,” Patchstack warned. “Immediate patching is strongly recommended.”

Infosecurity Magazine says the vendor addressed the vulnerabilities across two versions, by introducing a role allowlist and input sanitization, as well as an upload handler that now requires proper permission and enforces strict file type validation.

King Addons for Elementor is a popular plugin with more than 10,000 active users. It provides more than 70 widgets, more than 650 templates, and more than 4,000 page sections, helping users build their websites without extensive coding knowledge.

Discovering critical vulnerabilities in WordPress add-ons and themes is nothing new.

Third-party extensions to the platform are the most common ways cybercriminals compromise and take over WordPress websites, which is why users are always advised to only keep the add-ons they use, and to make sure they are always updated to the latest versions.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.