Another major WordPress add-on security flaw could affect 10,000 sites – find out if you’re affected
- The King Addons plugin presented two critical flaws allowing the complete takeover of the WordPress site
- Bugs allowed unauthenticated file uploads and privilege escalation through the recording endpoint
- Users should update to version 51.1.37 to fix both vulnerabilities
King Addons for Elementor, a commercial WordPress plugin that extends the Elementor page builder with additional widgets, templates and website design features, had two critical-level vulnerabilities that allowed malicious actors to take over vulnerable websites entirely, experts warned.
In a new security advisory, Patchstack detailed two bugs: an unauthenticated arbitrary file upload flaw (CVE-2025-6327) and privilege escalation via recording endpoint flaw (CVE-2025-6325). The former has a severity score of 10/10 (critical), while the latter 9.8/10 (also critical).
Both bugs allow a malicious actor to turn a vulnerable WordPress website into a beachhead. They can obtain code or accounts from the site and use them to execute actions leading to complete site compromise or data theft.
Fix bugs
Site administrators using “King Addons Login | Register Form” should make sure to update the plugin to version 51.1.37 as soon as possible, as this patch addresses both vulnerabilities and mitigates potential site takeover risks.
“Both vulnerabilities are trivially exploitable in common configurations and require no authentication,” Patchstack warned. “Immediate patching is strongly recommended. »
Infosecurity magazine says the vendor has fixed the vulnerabilities in two versions, introducing role allowlisting and input checking, as well as a download manager that now requires proper authorization and enforces strict file type validation.
King Addons for Elementor is a popular plugin with over 10,000 active users. It provides 70+ widgets, 650+ templates, and 4,000+ page sections, helping users build their websites without extensive coding knowledge.
Discovering critical vulnerabilities in WordPress add-ons and themes is nothing new.
Third-party extensions to the platform are the most common way that cybercriminals compromise and take over WordPress websites. This is why users are always advised to keep only the add-ons they use and ensure that they are always updated to the latest versions.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
