WordPress Sites Under Siege as King Addons Flaw Enables Easy Admin Takeover

A critical flaw in the popular King Addons for Elementor plugin reportedly allows hackers to gain full admin access on WordPress sites without any login credentials. Security teams have blocked over 48,000 attack attempts exploiting this vulnerability since October.

This breach exposes thousands of websites to complete takeovers, where attackers can upload malicious files or steal sensitive data with ease. Web developers using the plugin face urgent risks, as exploitation ramps up across global servers.

WordPress powers more than 40% of all websites worldwide, making it a prime target for cybercriminals seeking quick gains. The King Addons plugin, designed to enhance Elementor page builders with extra widgets and templates, has drawn over 10,000 active installations before the patch.

Such add-ons often promise seamless customization but introduce hidden risks if not vetted properly. Users typically install them for free features that speed up site design, yet outdated versions leave doors wide open for remote code execution alongside the admin escalation issue.

Federal records show two linked vulnerabilities, one for broken access controls and another for privilege escalation, both rated at the highest severity level. Immediate updates to version 51.1.37 reportedly fix these holes, but many sites lag behind due to auto-update hesitancy.

It holds true that attackers have actively targeted this flaw, with confirmed exploits leading to site hacks in recent weeks. The figure of 48,000 blocked attempts aligns with firewall logs from major security providers, though actual successful breaches remain underreported.

Media reporting for this story: 18% Left | 9% Right | 64% Center | 9% Unrated

FYI, I add facts to stories that often miss them. Join our newsletter for updates on WordPress security vulnerabilities or become a reporter and report any WordPress security vulnerabilities developments yourself.