A critical vulnerability has been identified in the King Addons for Elementor WordPress plugin, which could allow an attacker to gain full administrative control over an affected website. This flaw, resulting from an incorrect privilege assignment, permits a low-privileged user to escalate their permissions. Successful exploitation could lead to a complete compromise of the website, data theft, and further malicious activities.

The vulnerability is an Incorrect Privilege Assignment within the King Addons for Elementor plugin. The plugin fails to properly verify that a user has the necessary permissions before allowing them to perform sensitive actions. A remote attacker with low-level access, such as a subscriber account, could exploit this flaw to execute functions reserved for administrators, thereby escalating their privileges and gaining complete control over the WordPress site.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant risk to the business. Successful exploitation could lead to a full takeover of the organization's website. The potential consequences include theft of sensitive data (customer information, user credentials, PII), website defacement damaging the brand's reputation, injection of malware to infect site visitors, and using the compromised server as a pivot point for further attacks against the internal network.

Immediate Action: Immediately update the King Addons for Elementor plugin to the latest version provided by the vendor to patch the vulnerability. After updating, review all administrative user accounts for any unauthorized additions or modifications.

Proactive Monitoring: Monitor web server and application logs for signs of exploitation. Specifically, look for unusual or unauthorized administrative actions originating from low-privileged user accounts, unexpected plugin or theme file modifications, and the creation of new, unauthorized administrator accounts.

Compensating Controls: If immediate patching is not feasible, the most effective compensating control is to disable and uninstall the vulnerable King Addons for Elementor plugin until it can be safely updated. Additionally, a properly configured Web Application Firewall (WAF) may be able to block exploit attempts if specific rules targeting this vulnerability are available.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for a complete system compromise, immediate remediation is strongly recommended. Organizations using the affected King Addons for Elementor plugin must prioritize applying the security update without delay. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high severity makes it a prime candidate for future inclusion and exploitation by threat actors.