A critical privilege escalation vulnerability, identified as CVE-2025-8489 with a CVSS score of 9.8, has been discovered in The King Addons for Elementor WordPress plugin. This flaw allows a low-privileged, authenticated attacker to gain full administrative control over an affected website. Successful exploitation could lead to a complete site compromise, data theft, and significant reputational damage, requiring immediate patching.

The vulnerability exists due to a missing capability check on a function exposed via a WordPress AJAX action or REST API endpoint within the plugin. An authenticated attacker with minimal privileges, such as a subscriber, can send a specially crafted request to this endpoint. This allows the attacker to modify their own user role or the role of another user, granting them administrative privileges and resulting in a full compromise of the WordPress site.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit would grant an attacker complete administrative control over the affected website. The potential consequences include theft of sensitive data (customer information, user credentials, PII), website defacement, injection of malicious code or malware, and using the compromised server to host phishing campaigns or attack other systems. Such an incident can lead to severe financial loss, regulatory penalties, and lasting damage to the organization's reputation and customer trust.

Immediate Action: Immediately update The King Addons for Elementor plugin to the latest patched version on all WordPress instances. After updating, review all user accounts, especially those with administrative privileges, for any unauthorized changes or additions.

Proactive Monitoring: Monitor web server access logs and WordPress audit logs for suspicious activity. Specifically, look for unusual POST requests to wp-admin/admin-ajax.php or REST API endpoints associated with the plugin, unexpected user role changes, and the creation of new administrator accounts from unfamiliar IP addresses.

Compensating Controls: If immediate patching is not feasible, consider temporarily disabling the plugin until it can be updated. Alternatively, implement a Web Application Firewall (WAF) rule to block malicious requests targeting the specific vulnerable function, if known. Restricting access to the WordPress login and admin areas to trusted IP addresses can also reduce the attack surface.

Public Exploit Available: Not publicly known at this time.

Given the critical CVSS score of 9.8 and the potential for a full site compromise, it is imperative that organizations treat this vulnerability with the highest priority. The remediation plan should be executed immediately on all systems running the affected versions of The King Addons for Elementor plugin. Although this vulnerability is not currently listed on the CISA KEV list, its severity makes it a prime target for widespread, opportunistic attacks against vulnerable WordPress sites.