How to fix CVE-2025-62889?

Within 24 hours: audit all active installations of King Addons for Elementor and document current versions across WordPress environments. Within 7 days: disable or remove King Addons for Elementor from production environments, or restrict user role access to the plugin via WordPress user capability controls; evaluate alternative Elementor addons with confirmed security posture. Within 30 days: establish a plugin vetting policy requiring security audit confirmation before deployment and implement WordPress user role restrictions to limit plugin access to administrator accounts only.

Is PHP affected by CVE-2025-62889?

King Addons for Elementor WordPress plugin (versions through 51.1.61) contains a broken access control flaw that allows low-privilege authenticated users to escalate privileges and access high-level administrative functions, potentially compromising site integrity and data confidentiality.

CVE-2025-62889

HIGH

2025-10-27 [email protected]

WordPress PHP Authentication Bypass

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 01, 2026 - 15:22 vuln.today

CVE Published

Oct 27, 2025 - 02:15 nvd

HIGH 8.8

DescriptionNVD

Missing Authorization vulnerability in KingAddons.com King Addons for Elementor king-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects King Addons for Elementor: from n/a through <= 51.1.61.

AnalysisAI

Broken access control in King Addons for Elementor (WordPress plugin) versions through 51.1.61 allows authenticated attackers with low privileges to bypass authorization checks and gain unauthorized access to high-privilege functionality. The CVSS 8.8 score reflects potential for full compromise (high confidentiality, integrity, and availability impact), though the EPSS score of 0.05% (15th percentile) indicates minimal real-world exploitation observed. No public exploit code or CISA KEV listing identified at time of analysis. The vulnerability stems from improperly configured access control security levels (CWE-862: Missing Authorization), enabling privilege escalation by low-privileged users.

Technical ContextAI

King Addons for Elementor is a WordPress plugin extending Elementor page builder functionality. This vulnerability represents a CWE-862 (Missing Authorization) flaw where the plugin fails to properly validate user permissions before granting access to sensitive operations. In WordPress plugins, this typically manifests through AJAX handlers, REST API endpoints, or admin functions that lack proper capability checks (e.g., missing current_user_can() validations). The CVSS vector indicates network-accessible exploitation (AV:N) with low attack complexity (AC:L) but requires authentication with low privileges (PR:L). Affected products run on WordPress installations where King Addons for Elementor plugin versions up to and including 51.1.61 are deployed. The authorization bypass allows authenticated users to execute functions intended for administrators or higher-privileged roles, violating principle of least privilege.

Affected ProductsAI

The vulnerability affects King Addons for Elementor WordPress plugin versions from the earliest available release through version 51.1.61 inclusive. This impacts WordPress installations running any version of the king-addons plugin within this range on any supported WordPress core version. The Patchstack reference indicates the vulnerability was identified in version 51.1.37 testing but applies to the full version range through 51.1.61. Site administrators should verify their installed plugin version via WordPress admin dashboard under Plugins section or by checking the plugin file headers. All WordPress sites with this plugin installed and active user registration or existing low-privilege user accounts should consider themselves potentially affected. Additional advisory details available at https://patchstack.com/database/Wordpress/Plugin/king-addons/vulnerability/wordpress-king-addons-for-elementor-plugin-51-1-37-broken-access-control-vulnerability.

RemediationAI

Site administrators should immediately upgrade King Addons for Elementor to version 51.1.62 or later if available, as the vulnerability affects all versions through 51.1.61. Check the WordPress plugin repository or vendor site KingAddons.com for the patched release and apply updates through the WordPress admin dashboard under Plugins > Installed Plugins. Prior to patch application, implement compensating controls: audit and restrict user registration to prevent unauthorized low-privilege account creation, review existing user accounts for suspicious registrations or compromised credentials, monitor WordPress admin logs for unauthorized access attempts to administrative functions, and consider temporarily disabling the plugin on non-production sites until patching is complete. After patching, verify the update by checking the plugin version number and conduct post-patch testing to ensure Elementor page functionality remains intact. For detailed vulnerability information and potential workarounds, consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/king-addons/vulnerability/wordpress-king-addons-for-elementor-plugin-51-1-37-broken-access-control-vulnerability. Implement defense-in-depth by enforcing strong password policies and multi-factor authentication for all user accounts to mitigate risk even if authorization flaws persist.

CVE-2025-62889 vulnerability details – vuln.today

Back

CVE-2025-62889

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code