Two critical vulnerabilities (CVE-2025-6327 & CVE-2025-6325) have been found in the “King Addons for Elementor” WordPress plugin, which is active on over 10,000 websites. The flaws allow for unauthenticated arbitrary file uploads and privilege escalation, leading to total site takeover.
Business Impact
An attacker can exploit these “trivially exploitable” flaws to upload a web shell, gain administrative control of the website, steal customer data, redirect traffic, or use the site to host malware or phishing pages, severely damaging the business’s reputation and security.
Why It Happened
The flaws stem from insecure code in the plugin’s AJAX and registration handlers, which fail to properly check user authentication and permissions before allowing critical actions like file uploads.
Recommended Executive Action
Direct your web operations or marketing teams to immediately update the King Addons plugin to the latest patched version. Implement a Web Application Firewall (WAF) to provide a virtual patch against such file upload vulnerabilities and conduct regular plugin security audits.
Hashtags: #WordPress #Plugin #Vulnerability #RCE #WebSecurity #CyberSecurity #PatchNow #CVE #InfoSec