A popular Elementor extension for WordPress that helps users build contact forms, sliders, pricing tables and login workflows has been found vulnerable.
The King Addons for Elementor plugin, used on over 10,000 sites, contains two unauthenticated critical issues that can lead to full site takeover.
New research from Patchstack shows two easily exploitable flaws:
-
An unauthenticated arbitrary file upload vulnerability (CVE-2025-6327), allowing attackers to place files in web-accessible directories
-
A privilege escalation via registration endpoint flaw (CVE-2025-6325), allowing account creation with arbitrary roles
The upload flaw stems from an AJAX handler that exposes a nonce to every visitor via localized script data, allowing unauthenticated users to trigger the upload call.
Further, validation also failed because the file_validity() method returned a non-empty string instead of false for invalid file types, and the allowed_file_types parameter could be manipulated to accept unwanted files into wp-content/uploads/king-addons/forms/.
The privilege escalation issue arose from a registration handler that accepted client-supplied roles. When site registration was enabled and the King Addons Register widget was present, an attacker could POST action=king_addons_user_register with user_role=administrator to create a full administrator account.
Read more on privilege escalation attacks: Privilege Escalation Flaw Found in Azure Machine Learning Service
The vendor addressed the vulnerabilities across two versions.
Key improvements include:
-
A role allowlist and input sanitization to restrict new accounts to safe roles such as subscriber and customer
-
The upload handler now requires proper permission (upload_files) and enforces strict file type validation
Site administrators should verify whether the “King Addons Login | Register Form” widget is active on any page and update the plugin to version 51.1.37 immediately.
The patched release closes both the file upload and privilege escalation vulnerabilities, significantly reducing the risk of full site compromise.
“Both vulnerabilities are trivially exploitable under common configurations and require no authentication,” Patchstack wrote.
“Immediate patching is strongly recommended.”
Image credit: Wirestock Creators / Shutterstock.com
