WordPress is the most popular content management system (CMS) used for building anything from simple websites to sophisticated management information systems.
According to various statistics, WordPress maintains a steady market share of over 43% for websites and about 63% for all Content Management Systems.
Its main competitors include Wix, Joomla, Drupal, Shopify, which also works with WordPress, Squarespace, and WebFlow.
Advanced software developers can also use Model-Controller-Views frameworks, such as Laravel, CodeIgniter, Yii, Django, and ASP.NET MVC, to create similar applications.
WordPress gurus can also extend the framework to create stunning standalone applications, or plugins, themes, and components that can be installed on any WordPress website. Its flexibility has allowed it to dominate the webspace, making it the default for most bloggers or organizations wishing to build quickly.
However, its popularity and market domination have made it a target for cybercriminals. The high number of plugins, themes, and components has also introduced vulnerabilities that threat actors can use to breach the WordPress core.
WordPress Critical Vulnerability CVE-2025–8489 on Elementor Kings Addons Exploited in the Wild.
Attackers are exploiting a critical (CVSS 9.8) vulnerability in WordPress affecting King Addons for Elementor to escalate privileges and gain administrative rights.
Israeli-based Elementor is also a popular WordPress website builder that allows users to build websites using drag-and-drop capabilities like Wix. King Addons is a third-party WordPress plugin for Elementor that extends the plugin’s capabilities, allowing webmasters to build more quickly.
Between October 31 and the time of publication, WordFence, a free enterprise WordPress security solutions company, has blocked over 48,400 exploit attempts targeting Kings Addons for Elementor on WordPress.
According to Peter Thaleikis, the cybersecurity researcher who discovered the vulnerability, CVE-2025–8489 allows a user to specify their user roles, including administrators, without any restrictions. All they have to do is send a ‘user_role=administrator’ request on ‘admin-ajax.php’ to gain administrative privileges.
According to the researchers, most exploitation occurred between November 9 and November 10, 2025, amounting to 28,900 attempts leveraging two IP addresses, 45.61.157.120 (28,900 attempts) and 2602:fa59:3:424::1 (16,900 attempts). However, other IP addresses have been used in attempts to compromise WordPress via Elementor King Addons.
Critical Vulnerability in ThemeForest’s Service Finder WordPress Theme.
A critical vulnerability (CVSS 9.8) in Theme Forest’s Service Finder WordPress Theme allows an unauthenticated attacker to gain administrative rights.
ThemeForest is a popular WordPress developer for various themes and plugins that allow webmasters to create impressive websites quickly.
Its Service Finder WordPress Theme allows service providers to register and create profiles, enabling customers to find their services. Customers can also create tasks, state their requirements, and invite service providers. They can also book appointments. Sellers can also search for tasks and apply.
However, the popular theme was affected by a major authentication bypass security flaw that could allow unauthenticated attackers to take over websites using the theme by escalating their privileges.
It failed to authenticate user cookies before logging them in via the service_finder_switch_back() function.
Within 24 hours of discovery, WordFence blocked 91 attacks, suggesting that the critical vulnerability was being exploited in the wild. It affected themes less than version 6.1 and was successfully patched. However, the number of victims affected remains unknown to us at the time of publication.
Leave a Reply