CVE-2025-8489
Published: 31 October 2025
Summary
CVE-2025-8489 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Deeper analysis
The King Addons for Elementor plugin for WordPress is affected by a privilege escalation vulnerability in versions 24.12.92 to 51.1.14. The root cause is missing validation on the roles that can be supplied during user registration, which permits creation of accounts outside the intended set of allowable roles.
Unauthenticated attackers can exploit the flaw remotely with no user interaction or credentials to register new administrator accounts on the target WordPress site, resulting in full compromise of confidentiality, integrity, and availability.
The listed references include plugin source revisions in versions 24.12.93 and 51.1.35 along with a Wordfence advisory entry, indicating that updating to a patched release addresses the registration role restriction.
The EPSS score has reached a peak and current value of 0.4926.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-37306
Vulnerability details
The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due to the plugin not properly restricting the roles that…
more
users can register with. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated privilege escalation in a public-facing WordPress plugin, directly exploited via T1190 (Exploit Public-Facing Application) to gain administrator privileges, aligning with T1068 (Exploitation for Privilege Escalation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-2 mandates proper management of user accounts, including restricting role assignments during registration to prevent unauthenticated attackers from creating administrator accounts.
SI-2 requires timely remediation of flaws like the plugin's improper role restriction during registration, directly addressing the vulnerability through patching.
AC-6 enforces least privilege, ensuring registered users receive only necessary permissions rather than administrator-level access.