Cyber Resilience

CVE-2025-8489

Critical

Published: 31 October 2025

Published
31 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4926 97.8th percentile
Risk Priority 49 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8489 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

The King Addons for Elementor plugin for WordPress is affected by a privilege escalation vulnerability in versions 24.12.92 to 51.1.14. The root cause is missing validation on the roles that can be supplied during user registration, which permits creation of accounts outside the intended set of allowable roles.

Unauthenticated attackers can exploit the flaw remotely with no user interaction or credentials to register new administrator accounts on the target WordPress site, resulting in full compromise of confidentiality, integrity, and availability.

The listed references include plugin source revisions in versions 24.12.93 and 51.1.35 along with a Wordfence advisory entry, indicating that updating to a patched release addresses the registration role restriction.

The EPSS score has reached a peak and current value of 0.4926.

EU & UK References

Vulnerability details

The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due to the plugin not properly restricting the roles that…

more

users can register with. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is an unauthenticated privilege escalation in a public-facing WordPress plugin, directly exploited via T1190 (Exploit Public-Facing Application) to gain administrator privileges, aligning with T1068 (Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4880Shared CWE-269
CVE-2026-26725Shared CWE-269
CVE-2026-6228Shared CWE-269
CVE-2025-14736Shared CWE-269
CVE-2025-0180Shared CWE-269
CVE-2026-31070Shared CWE-269
CVE-2024-9636Shared CWE-269
CVE-2025-22937Shared CWE-269
CVE-2026-33509Shared CWE-269
CVE-2025-13538Shared CWE-269

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-2 mandates proper management of user accounts, including restricting role assignments during registration to prevent unauthenticated attackers from creating administrator accounts.

prevent

SI-2 requires timely remediation of flaws like the plugin's improper role restriction during registration, directly addressing the vulnerability through patching.

prevent

AC-6 enforces least privilege, ensuring registered users receive only necessary permissions rather than administrator-level access.

References