CVE-2025-8489 — AI Deep Analysis Summary

🚨 **Essence**: A critical flaw in 'King Addons for Elementor' allows unauthenticated users to register as **Administrators**. 💥 **Consequences**: Full site takeover, data theft, and malicious code injection.…

🛡️ **Root Cause**: **CWE-269** (Improper Privilege Management). The plugin fails to restrict user registration roles properly.…

📦 **Affected**: WordPress Plugin **King Addons for Elementor**. 📅 **Versions**: **24.12.92** up to **51.1.14**. If your site uses this range, you are at risk!

👑 **Privileges**: Attackers gain **Admin Level** access. 📂 **Data**: Full read/write access to database, files, and settings. They can install backdoors, steal user data, or deface the site.

⚡ **Threshold**: **LOW**. 🚫 **Auth**: No authentication required (PR:N). 🌐 **Access**: Network accessible (AV:N). 🧠 **Complexity**: Low (AC:L). Any visitor can exploit this easily.

🔍 **Exploit Status**: Public references exist (WordFence, WP Trac). 📜 **PoC**: Specific file paths (`Login_Register_Form_Ajax.php`) are highlighted.…

🔎 **Self-Check**: 1. Check plugin version in WP Dashboard. 2. Look for `Login_Register_Form` widgets. 3. Scan for the specific AJAX endpoint files mentioned in references. 🛠️ Use WPScan or similar tools.

✅ **Fixed**: Yes. The vulnerability is tracked in WP Trac. 🔄 **Patch**: Update to the latest version (post-51.1.14). Check the official WordPress plugin repository for the fixed release.

🚧 **Workaround**: If you cannot update immediately: 1. **Disable** the 'Login/Register Form' widget. 2. Remove the plugin entirely if not needed. 3. Restrict user registration in WordPress settings to 'None'.

🔥 **Urgency**: **CRITICAL**. CVSS Score is **High** (likely 9.8+). Immediate action required. Update the plugin NOW to prevent total site compromise. ⏳ Time is of the essence!