WordPress King Addons Flaw Under Active Attack Lets Hackers Make Admin Accounts

WordPress King Addons Flaw Under Active Attack Lets Hackers Make Admin Accounts

A critical vulnerability in the WordPress King Addons plugin (CVE-2025-8489) is being actively exploited, allowing unauthenticated attackers to create admin accounts. With a CVSS score of 9.8, Wordfence has blocked over 48,400 exploit attempts since October 2025.

Why This Matters

The flaw stems from improper role restrictions during user registration, enabling privilege escalation without authentication. This exposes sites to full control takeover, malware injection, and traffic redirection. Attackers have already launched mass exploitation campaigns, targeting over 10,000 active plugin installations with 75 attempts blocked in the last 24 hours alone.

Key Insights

• “CVE-2025-8489 (CVSS 9.8)” – Wordfence, 2025
• “handle_register_ajax() function vulnerability” – WordPress plugin code
• “Patched in version 51.1.35” – Maintainers, September 2025

Practical Applications

• Use Case: WordPress administrators must update to 51.1.35+ and audit admin users
• Pitfall: Delayed updates leave sites exposed to credential theft and code injection

References:

• https://thehackernews.com/2025/12/wordpress-king-addons-flaw-under-active.html