CVE-2025-62889 Overview
CVE-2025-62889 is a missing authorization vulnerability in the King Addons for Elementor WordPress plugin developed by KingAddons.com. The flaw affects all plugin versions up to and including 51.1.61. Authenticated attackers with low privileges can exploit incorrectly configured access control checks to reach functionality that should be restricted to higher-privileged roles. The issue is tracked as [CWE-862] Missing Authorization and is documented in the Patchstack Vulnerability Report.
Critical Impact
Authenticated low-privilege users can access restricted plugin functionality, leading to confidentiality impact on affected WordPress sites running King Addons for Elementor.
Affected Products
- KingAddons.com King Addons for Elementor (king-addons)
- All versions from n/a through 51.1.61
- WordPress sites running the vulnerable plugin
Discovery Timeline
- 2025-10-27 - CVE-2025-62889 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-62889
Vulnerability Analysis
The vulnerability is a broken access control issue in the King Addons for Elementor plugin. The plugin exposes one or more actions that fail to verify whether the requesting user holds the required capability or role. An authenticated user with low privileges, such as a subscriber, can invoke these actions directly. The result is unauthorized access to functionality intended for administrators or editors.
The attack is network-reachable and requires no user interaction. Exploitation impacts confidentiality, while integrity and availability remain unaffected based on the published CVSS vector. The Exploit Prediction Scoring System rates this CVE in the lower exploitability range, but the low attack complexity makes opportunistic exploitation feasible on exposed WordPress installations.
Root Cause
The root cause is a missing or improperly implemented authorization check on plugin endpoints. WordPress plugins must validate user capabilities using functions such as current_user_can() and verify request authenticity using nonces via check_ajax_referer() or wp_verify_nonce(). When these checks are absent or incorrectly scoped, the plugin grants access based on authentication alone rather than authorization.
Attack Vector
An attacker first obtains low-privilege authenticated access to the target WordPress site. This is commonly achieved through open registration, compromised subscriber accounts, or weak credentials. The attacker then sends crafted HTTP requests to the vulnerable plugin endpoints exposed by King Addons for Elementor. Because the endpoint does not enforce the proper capability check, the server processes the request and returns data or performs actions that should be restricted. Refer to the Patchstack advisory for technical specifics.
Detection Methods for CVE-2025-62889
Indicators of Compromise
- Unexpected HTTP POST requests to /wp-admin/admin-ajax.php referencing King Addons actions from low-privilege user sessions
- Requests to plugin endpoints under /wp-content/plugins/king-addons/ originating from subscriber or contributor accounts
- New or modified Elementor templates, widgets, or settings created by accounts without editorial roles
Detection Strategies
- Audit WordPress access logs for admin-ajax.php calls invoking king-addons actions paired with non-administrative user IDs
- Enable WordPress activity logging plugins to flag privilege-inconsistent actions on Elementor content
- Compare installed plugin version against 51.1.61 using wp plugin list to identify vulnerable hosts
Monitoring Recommendations
- Monitor authentication telemetry for unusual subscriber-tier account activity targeting plugin endpoints
- Alert on HTTP 200 responses to plugin action requests issued by accounts that should not have configuration privileges
- Track web server logs for repeated requests to King Addons handlers from a single source IP
How to Mitigate CVE-2025-62889
Immediate Actions Required
- Update King Addons for Elementor to a version newer than 51.1.61 once the vendor publishes a fix
- Restrict new user registrations or set the default role to a non-privileged value until patching is complete
- Audit existing low-privilege accounts and remove any that are unused or unrecognized
Patch Information
The affected versions extend through 51.1.61. Site administrators should consult the Patchstack Vulnerability Report for the fixed release information and apply the vendor update through the WordPress plugin updater as soon as it becomes available.
Workarounds
- Deactivate the King Addons for Elementor plugin until a patched version is installed
- Deploy a Web Application Firewall rule to block unauthenticated and low-privilege requests to king-addons AJAX actions
- Disable public user registration via Settings → General by unchecking Anyone can register
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

