CVE-2025-62889 – This CVE describes a Missing Authorization vuln... (How to Fix)

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in King Addons for Elementor WordPress plugin that allows attackers to bypass access controls. Attackers can exploit incorrectly configured security levels to perform unauthorized actions. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

King Addons for Elementor WordPress Plugin

Versions: All versions up to and including 51.1.37

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with Elementor plugin installed

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover, data exfiltration, or injection of malicious content across all pages using Elementor

🟠

Likely Case

Unauthorized content modification, privilege escalation, or data access

🟢

If Mitigated

Limited impact with proper authentication and authorization controls in place

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access but authorization checks are missing

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 51.1.37

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/king-addons/vulnerability/wordpress-king-addons-for-elementor-plugin-51-1-37-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'King Addons for Elementor'
4. Click 'Update Now' if available
5. If no update available, deactivate and remove plugin
6. Reinstall latest version from WordPress repository

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate King Addons for Elementor plugin

wp plugin deactivate king-addons

Restrict plugin access

all

Use WordPress security plugins to restrict access to plugin functionality

🧯 If You Can't Patch

Implement strict access controls and user role management
Monitor for unauthorized changes to Elementor content and user permissions

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → King Addons for Elementor version

Check Version:

wp plugin get king-addons --field=version

Verify Fix Applied:

Verify plugin version is greater than 51.1.37

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to King Addons endpoints
Unexpected user role changes
Unusual Elementor content modifications

Network Indicators:

Requests to /wp-content/plugins/king-addons/ with unauthorized parameters

SIEM Query:

source="wordpress" AND (uri="/wp-admin/admin-ajax.php" AND parameters CONTAINS "king-addons")

📊 Metadata

CVE ID: CVE-2025-62889

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

EPSS Score: 0.06% exploit probability (18.1th percentile)

Published: October 27, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/king-addons/vulnerability/wordpress-king-addons-for-elementor-plugin-51-1-37-broken-access-control-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62889, you might also want to check these: