CVE-2025-8489
Published: 31 October 2025
Summary
CVE-2025-8489 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-2 mandates proper management of user accounts, including restricting role assignments during registration to prevent unauthenticated attackers from creating administrator accounts.
SI-2 requires timely remediation of flaws like the plugin's improper role restriction during registration, directly addressing the vulnerability through patching.
AC-6 enforces least privilege, ensuring registered users receive only necessary permissions rather than administrator-level access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated privilege escalation in a public-facing WordPress plugin, directly exploited via T1190 (Exploit Public-Facing Application) to gain administrator privileges, aligning with T1068 (Exploitation for Privilege Escalation).
NVD Description
The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due to the plugin not properly restricting the roles that…
more
users can register with. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.
Deeper analysisAI
CVE-2025-8489 is a privilege escalation vulnerability in the King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress, affecting versions 24.12.92 through 51.1.14. The flaw arises because the plugin does not properly restrict the user roles available during registration, mapped to CWE-269 (Improper Privilege Management). This was published on 2025-10-31 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By leveraging the plugin's registration functionality, they can create new user accounts with administrator privileges, gaining full control over the affected WordPress site, including the ability to modify content, manage users, install plugins, and alter configurations.
Patched versions address the issue, as evidenced by code changes in the plugin's Login_Register_Form_Ajax.php file: line 353 in tag 24.12.93 and line 160 in tag 51.1.35. The Wordfence threat intelligence advisory provides additional details on the vulnerability and recommends updating to these or later versions for mitigation.
Details
- CWE(s)