Critical Flaws Found In Elementor King Addons Affect 10,000 Sites

A popular Elementor extension for WordPress that helps users build contact forms, sliders, pricing tables and login workflows has been found vulnerable.

The King Addons for Elementor plugin, used on over 10,000 sites, contains two unauthenticated critical issues that can lead to full site takeover.

New research from Patchstack shows two easily exploitable flaws:

An unauthenticated arbitrary file upload vulnerability (CVE-2025-6327), allowing attackers to place files in web-accessible directories

A privilege escalation via registration endpoint flaw (CVE-2025-6325), allowing account creation with arbitrary roles

The upload flaw stems from an AJAX handler that exposes a nonce to every visitor via localized script data, allowing unauthenticated users to trigger the upload call.

Further, validation also failed because the file_validity() method returned a non-empty string instead of false for invalid file types, and the allowed_file_types parameter could be manipulated to accept unwanted files into wp-content/uploads/king-addons/forms/.

The privilege escalation issue arose from a registration handler that accepted client-supplied roles. When site registration was enabled and the King Addons Register widget was present, an attacker could POST action=king_addons_user_register with user_role=administrator to create a full administrator account.

Read more on privilege escalation attacks: Privilege Escalation Flaw Found in Azure Machine Learning Service

The vendor addressed the vulnerabilities across two versions.