King Addons for Elementor, a paid plugin that expands the Elementor page builder, has been found carrying two critical vulnerabilities that allow complete site takeover. Security researchers at Patchstack confirmed an unauthenticated arbitrary file upload flaw, tracked as CVE 2025 6327, and a privilege escalation flaw, tracked as CVE 2025 6325. Both issues score at the highest end of the severity scale. These bugs let an attacker upload code or create accounts and then use those footholds to take full control of vulnerable websites.
Table of Contents
Immediate patching required
Administrators using the Login and Register Form widgets from King Addons must update to version 51.1.37 without delay. This release fixes both issues by enforcing permission checks and applying strict validation to uploaded files. Patchstack stressed that the flaws are easy to exploit under common settings and require no login. Infosecurity Magazine reported that the vendor addressed the issues across two patch versions by adding a role allowlist, sanitising inputs, and improving the upload handler.
A popular plugin with a wide impact radius
King Addons has more than 10,000 active installations. It offers over seventy widgets, six hundred templates, and thousands of page sections that help users build sites without coding. Its reach means that even a short delay in patching could expose a large number of websites to compromise. Although serious bugs in WordPress add-ons are not unusual, this incident again highlights the risks posed by third party extensions. Attackers typically target outdated plugins and themes before anything else.
Lessons for site owners
Security experts continue to advise WordPress site owners to reduce plugin bloat and patch any essential add-ons as soon as updates appear. Third party components remain the fastest route for attackers looking to breach websites. This case shows how a widely used design extension can quickly become a liability when vulnerabilities are left unpatched.
