A critical vulnerability has been identified in the King Addons for Elementor plugin, which allows an unauthenticated attacker to upload malicious files, such as a web shell, to the server. Successful exploitation grants the attacker complete control over the affected website and underlying server, potentially leading to data theft, service disruption, and further network compromise. Due to the ease of exploitation and maximum potential impact, this vulnerability is assigned the highest possible severity score.

The vulnerability is an Unrestricted Upload of File with Dangerous Type. The application fails to properly validate the file types being uploaded via a feature in the King Addons for Elementor plugin. An unauthenticated attacker can bypass file type restrictions and upload a file containing executable code (e.g., a PHP script). By subsequently accessing the uploaded file's URL, the attacker can trigger the code to execute on the server, establishing a web shell and gaining remote code execution capabilities with the permissions of the web server process.

This vulnerability is rated critical severity with a CVSS score of 10.0, representing the highest possible risk. A successful exploit leads to a full compromise of the web server's confidentiality, integrity, and availability. The business impact includes, but is not limited to, the theft of sensitive data (customer information, payment details, intellectual property), reputational damage from website defacement, financial loss from service interruption, and the risk of the compromised server being used as a launchpad for further attacks against the organization's internal network.

Immediate Action: Update the King Addons for Elementor plugin to the latest version provided by the vendor to patch the vulnerability. After updating, thoroughly monitor for any signs of exploitation and review web server access logs for suspicious file uploads (e.g., .php, .phtml) or requests to unusual files in upload directories that may have occurred prior to patching.

Proactive Monitoring: Implement continuous monitoring of web server logs for attempts to upload or access executable file types in user-content directories. Monitor for unusual outbound network connections from the web server, which could indicate a web shell communicating with a command-and-control server. Watch for unexpected processes being spawned by the web server's user account (e.g., www-data, apache).

Compensating Controls: If immediate patching is not feasible, consider the following controls:

• Implement a Web Application Firewall (WAF) with strict rules to inspect and block malicious file uploads.
• If the specific feature allowing file uploads is not business-critical, disable it entirely within the plugin's settings.
• Configure the web server to prevent script execution in the directories where files are uploaded.
• Use a File Integrity Monitoring (FIM) solution to detect the creation of unauthorized files on the server.

Public Exploit Available: true

Given the critical CVSS score of 10.0 and the availability of public exploits, immediate remediation is imperative. All organizations using the King Addons for Elementor plugin must treat this as an emergency and apply the vendor-supplied security update without delay. Due to the high likelihood of exploitation, it is also strongly recommended to assume a breach has occurred and conduct a forensic review of affected systems to search for indicators of compromise, such as backdoors or unauthorized user accounts. Do not wait for this to appear on the CISA KEV list to take action.