Two Critical Vulnerabilities in WordPress King Addons for Elementor Plugin Affecting 10k+ Sites

King Addons for Elementor

Unauthenticated File Upload

10k+

CVSS 10.0

King Addons for Elementor

Unauthenticated Privilege Escalation

10k+

CVSS 9.8

This blog post is about two critical unauthenticated vulnerabilities in the King Addons for Elementor plugin. If you're a King Addons for Elementor user, please update the plugin to the latest version 51.1.37.

About the King Addons for Elementor Plugin

The plugin King Addons for Elementor, which has over 10k active installations, is a more popular Elementor extension for WordPress.

The plugin is a feature-rich extension for the Elementor page builder that adds dozens of pre-built widgets, templates and user-facing tools to help site owners build richer, interactive pages without custom coding. Commonly used to create contact and file-upload forms, pricing tables, sliders, team/member sections, countdowns, social-login and register/login forms, and other UI components, the plugin speeds up design work and provides non-developers with flexible layout and functionality options. 

The security vulnerabilities

Affected versions contain two unauthenticated critical vulnerabilities:

1. Unauthenticated Arbitrary File Upload (CVE-2025-6327). allows attackers to upload arbitrary files to a web-accessible directory, leading to potential Remote Code Execution (RCE) 
2. Privilege Escalation via Registration Endpoint (CVE-2025-6325)  allows unauthenticated users to register new accounts with arbitrary roles (including administrator), resulting in full site compromise.

Both vulnerabilities are trivially exploitable under common configurations and require no authentication. Immediate patching is strongly recommended.

Arbitrary File Upload (CVE-2025-6327)

The plugin registers an unauthenticated AJAX handler in : /includes/widgets/Form_Builder/helpers/Upload_Email_File.php

add_action('wp_ajax_nopriv_king_addons_upload_file', [$this, 'handle_file_upload']);

The handler attempts a nonce check:

if (!isset($_POST['king_addons_fb_nonce']) || !wp_verify_nonce($_POST['king_addons_fb_nonce'], 'king-addons-js')) {
      wp_send_json_error(['message' => esc_html__('Security check failed.', 'king-addons')]);
}

 However, the nonce is exposed to every visitor through localized script data:

wp_localize_script(KING_ADDONS_ASSETS_UNIQUE_KEY . '-form-builder-script', 'KingAddonsFormBuilderData', [
    'ajaxurl' => admin_url('admin-ajax.php'),
    'nonce'   => wp_create_nonce('king-addons-js'),
]);

Since this nonce is included in every page load, any unauthenticated attacker can retrieve it and perform the upload request successfully.

Also, the method file_validity() incorrectly returns a non-empty string instead of false for invalid file types, breaking the intended validation:

if (!wp_check_filetype($file['name'])['ext']) {
    return 'mailto:bug@kingaddons.com?subject=Bug Report - King Addons&body=Please describe the issue';
}

Together with the possibility to send any list of allowed files via the allowed_file_types parameter, unwanted file types are uploaded under wp-content/uploads/king-addons/forms/

Privilege Escalation via Registration Endpoint (CVE-2025-6325)

Located in includes/widgets/Login_Register_Form/Login_Register_Form_Ajax.php, the plugin’s registration handler allowed client-supplied roles:

// Vulnerable code
if (!empty($user_role) && $user_role !== 'subscriber') {
    $user_data['role'] = $user_role;
}
$user_id = wp_insert_user($user_data);

An unauthenticated attacker could register a new account by posting:

action=king_addons_user_register[&extra_data]&user_role=administrator

Conditions required:

• Site registration is enabled.
• The King Addons Login | Register Form widget is enabled on a page (Register widget present).

The Patch

For the unauthenticated file upload, fixed fully in version 51.1.37, the patch introduces two key security improvements in the handle_file_upload() function:

1. Capability check:

The upload handler now verifies that the user has the proper permission (upload_files) before continuing. This prevents unauthenticated or low-privilege users from invoking the endpoint.

2. Proper file type validation:

The developer replaced the placeholder “mailto” fallback with a strict wp_check_filetype() validation. If the file type is invalid or unrecognized, the function now halts by returning false.

public function handle_file_upload() {

+ // Require authentication and capability
+ if (!current_user_can('upload_files')) {
+ wp_send_json_error(['message' => esc_html__('Insufficient permissions to upload files.', 'king-addons')]);
+ }

$file = $_FILES['uploaded_file'];

- if (!wp_check_filetype($file['name'])['ext']) {
- return 'mailto:bug@kingaddons.com?subject=Bug Report - King Addons&body=Please describe the issue';
- }

+ // Proper filetype validation
+ $filetype = wp_check_filetype($file['name']);
+ if (empty($filetype['ext'])) {
+ return false;
+ }
}

[...]

For the privilege escalation, fixed in version 51.1.36, the vendor added a role allowlist and sanitized the input:

- $user_role = isset($_POST['user_role']) ? sanitize_text_field($_POST['user_role']) : 'subscriber';
+ // Security fix: restrict roles to safe options
+ $allowed_roles = ['subscriber', 'customer'];
+ $requested_role = isset($_POST['user_role']) ? sanitize_text_field($_POST['user_role']) : 'subscriber';
+ $user_role = in_array($requested_role, $allowed_roles, true) ? $requested_role : 'subscriber';

Want to learn more about finding and fixing vulnerabilities?

Explore our Academy to master the art of finding and patching vulnerabilities within the WordPress ecosystem. Dive deep into detailed guides on various vulnerability types, from discovery tactics for researchers to robust fixes for developers. Join us and contribute to our growing knowledge base.