CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical vulnerabilities in Elementor King Addons plugin affect 10,000 WordPress sites

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

The Elementor King Addons plugin, used by over 10,000 WordPress sites, has two unauthenticated critical vulnerabilities. These flaws can lead to full site takeovers. The vulnerabilities include an arbitrary file upload flaw (CVE-2025-6327) and a privilege escalation issue (CVE-2025-6325). The plugin's vendor has released version 51.1.37 to address these issues. The arbitrary file upload vulnerability allows attackers to place files in web-accessible directories due to improper nonce handling and file validation. The privilege escalation flaw permits attackers to create administrator accounts by exploiting the registration endpoint. Site administrators should update the plugin immediately to mitigate the risk of full site compromise.

Timeline

  1. 30.10.2025 18:45 1 articles · 11d ago

    Critical vulnerabilities in Elementor King Addons plugin disclosed

    Two unauthenticated critical vulnerabilities were discovered in the Elementor King Addons plugin, affecting over 10,000 WordPress sites. The flaws include an arbitrary file upload vulnerability (CVE-2025-6327) and a privilege escalation issue (CVE-2025-6325). The vendor released version 51.1.37 to address these issues, which include role allowlists, input sanitization, and strict file type validation. Site administrators should update the plugin immediately to mitigate the risk of full site compromise.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Post SMTP Plugin Vulnerability Exploited to Hijack WordPress Admin Accounts

A critical vulnerability in the Post SMTP WordPress plugin, tracked as CVE-2025-11833, is being actively exploited to hijack administrator accounts. The flaw allows unauthenticated attackers to read logged emails, including password reset messages, leading to account takeover and full site compromise. The vulnerability affects all versions of Post SMTP from 3.6.0 and older, with over 400,000 downloads. The issue was reported on October 11 and patched on October 29. However, as of November 4, at least 210,000 sites remain vulnerable. Exploitation attempts began on November 1, with over 4,500 blocked attempts since then. The Post SMTP plugin is a popular email delivery solution for WordPress. The flaw allows unauthenticated attackers to read arbitrary logged emails, including password reset messages. The vulnerability was reported on October 11 and patched on October 29. However, as of November 4, at least 210,000 sites remain vulnerable. Exploitation attempts began on November 1, with over 4,500 blocked attempts since then.

Open in new tab