module
WordPress King Addons for Elementor Unauthenticated Privilege Escalation to RCE
| Disclosed |
|---|
| Oct 30, 2025 |
Disclosed
Oct 30, 2025
Description
This module exploits an unauthenticated privilege escalation vulnerability in the WordPress
King Addons for Elementor plugin (versions 24.12.92 to 51.1.14). The vulnerability exists
in the handle_register_ajax() function which allows unauthenticated attackers to specify
the user_role parameter during registration, enabling them to create administrator accounts.
This exploit requires a WordPress page containing the King Addons "Login Register Form"
Elementor widget, which exposes the required nonce token in the page's JavaScript.
The NONCE_PAGE option must be set to the path of such a page.
Once an administrator account is created, the module uploads and executes a malicious
plugin to achieve remote code execution (RCE).
King Addons for Elementor plugin (versions 24.12.92 to 51.1.14). The vulnerability exists
in the handle_register_ajax() function which allows unauthenticated attackers to specify
the user_role parameter during registration, enabling them to create administrator accounts.
This exploit requires a WordPress page containing the King Addons "Login Register Form"
Elementor widget, which exposes the required nonce token in the page's JavaScript.
The NONCE_PAGE option must be set to the path of such a page.
Once an administrator account is created, the module uploads and executes a malicious
plugin to achieve remote code execution (RCE).
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.