WordPress Plugin Exploits: King Addons for Elementor & Advanced Custom Fields: Extended

Two critical plugin vulnerabilities are actively being exploited in the WordPress ecosystem, underscoring the ongoing risk of third‑party add‑ons.

CVE‑2025‑8489 — King Addons for Elementor

• What it is: A privilege escalation flaw in the registration handler of King Addons.
• Impact: Attackers can specify their own role during signup (e.g., user_role=administrator) and instantly create rogue admin accounts.
• Exploitation: Began October 31, one day after disclosure. Wordfence has blocked 48,400+ attempts so far.
• Scale: King Addons is installed on ~10,000 sites.
• Indicators of compromise:
  • New administrator accounts appearing unexpectedly.
  • Suspicious admin-ajax.php requests with user_role=administrator.
  • Offending IPs include 45.61.157.120 (28,900 attempts) and 2602:fa59:3:424::1 (16,900 attempts).
• Fix: Upgrade to version 51.1.35 (released September 25).

CVE‑2025‑13486 — Advanced Custom Fields: Extended

• What it is: A critical remote code execution flaw affecting versions 0.9.0.5–0.9.1.1.
• Root cause: User input passed directly into call_user_func_array(), enabling arbitrary code execution.
• Impact: Unauthenticated attackers can inject backdoors or create admin accounts.
• Discovery: Reported November 18 by Marcin Dudek (CERT Poland).
• Fix: Vendor patched in version 0.9.2, released November 19.
• Scale: Plugin is active on 100,000+ websites.

Defensive Actions for Site Owners

1. Patch immediately
   • King Addons → update to 51.1.35.
   • Advanced Custom Fields: Extended → update to 0.9.2.
2. Audit user accounts
   • Look for unauthorized admin accounts created since late October.
3. Check logs
   • Search for suspicious admin-ajax.php requests or IPs flagged by Wordfence.
4. Harden WordPress
   • Disable unused plugins.
   • Enforce strong admin passwords and MFA.
   • Restrict access to wp-admin and admin-ajax.php endpoints.
5. Monitor for persistence
   • Scan for injected backdoors or modified PHP files.
   • Use WordPress security plugins (Wordfence, Sucuri) for real‑time monitoring.

Final Thought

These incidents highlight how quickly attackers weaponize public disclosures — exploitation began within 24 hours. WordPress site owners should treat plugin updates as urgent security patches, not optional feature upgrades. If you’d like, I can create a visual attack chain diagram showing how attackers move from crafted requests → rogue admin accounts → site takeover, to help explain this risk to non‑technical stakeholders.