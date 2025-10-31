Threat Intelligence, Vulnerability Management

Thousands of websites impacted by critical Elementor King Addons extension flaws

(Credit: Bilal Ulker &#8211; stock.adobe.com)

More than 10,000 WordPress sites could be subjected to total site takeovers due to a pair of critical vulnerabilities in the widely used King Addons for Elementor plugin, Infosecurity Magazine reports.

Abuse of the unauthenticated arbitrary file upload flaw CVE-2025-6327 which arose from an AJAX handler's nonce exposure to site visitors could facilitate file injections in various directories, while exploitation of the privilege escalation issue CVE-2025-6325 which stems from a registration handler that received client-supplied roles could enable the creation of full administrator accounts, according to findings from Patchstack.

Site administrators have been urged to promptly implement patched versions of the plugin, which have been integrated with role allowlist and input sanitization for new accounts, as well as an improved upload handler with more stringent file type validation.

"Both vulnerabilities are trivially exploitable under common configurations and require no authentication. Immediate patching is strongly recommended," said Patchstack.

