KingAddons King Addons for Elementor, unauthenticated arbitrary file upload (King Addons File Upload)

Overview

CVE-2025-6327 is a critical unrestricted file upload vulnerability in King Addons for Elementor, a WordPress add-on plugin (slug king-addons) installed on more than 10,000 sites. The flaw affects every release up to and including version 51.1.36 and is reachable by completely unauthenticated visitors. Because the plugin allows an attacker to write arbitrary files, including executable PHP, into a directory served by the web server, exploitation results in full remote code execution. The National Vulnerability Database assigns the maximum CVSS v3.1 base score of 10.0 (critical), reflecting network reachability, no authentication, no user interaction, and a scope change with high impact to confidentiality, integrity, and availability.

Technical Details

The vulnerability lives in the plugin's form-handling logic. King Addons registers an AJAX action for processing file uploads attached to its form widget, and the nonce that is supposed to gate this action is localized into script data delivered to every page visitor. As a result, an unauthenticated client can read the nonce and replay it to invoke the upload endpoint without any logged-in session.

The second half of the bug is broken type validation. The handler's file_validity() check returns a non-empty string on failure rather than a boolean false, so the truthiness test that was meant to reject dangerous files passes for any input. The list of permitted extensions (allowed_file_types) is also caller-influenced, so an attacker can submit a payload whose type is not legitimately allowed. The uploaded file is written into wp-content/uploads/king-addons/forms/, a path that is directly reachable over HTTP. Uploading a .php file and then requesting it executes attacker-controlled code in the context of the web server. This maps to CWE-434 (Unrestricted Upload of File with Dangerous Type). The vendor remediated both issues in version 51.1.37 by enforcing an upload_files capability check on the handler and correcting the file-type validation.

Impact

• Unauthenticated remote attackers can upload and execute arbitrary PHP code, achieving full remote code execution on the host.
• Complete compromise of the WordPress site: database credential theft, content defacement, malware and backdoor implantation, and creation of rogue administrator accounts.
• The CVSS scope change (S:C) reflects that code execution in the web server can affect resources beyond the vulnerable component, such as other sites on shared hosting.
• High impact to confidentiality, integrity, and availability of the site and any data it processes.

Mitigation

1. Update King Addons for Elementor to version 51.1.37 or later immediately; this release adds the missing upload_files capability check and fixes file-type validation.
2. If you cannot patch right away, deactivate and remove the King Addons for Elementor plugin until the update can be applied.
3. After patching, audit wp-content/uploads/king-addons/forms/ for unexpected .php, .phtml, or other executable files and remove any that are not legitimate uploads.
4. Configure the web server to deny execution of PHP within the uploads directory (for example, an .htaccess rule or equivalent Nginx location block) as defense in depth.
5. Rotate WordPress administrator passwords and secret keys, and review the user list for unauthorized accounts created during any compromise window.

Detection

Because the endpoint is unauthenticated, exploitation typically appears in web server access logs as POST requests to admin-ajax.php carrying the plugin's upload action and a multipart/form-data body. Search HTTP logs for admin-ajax.php POSTs whose action parameter corresponds to the King Addons form upload handler, especially from IP addresses that never authenticated. A burst of such requests from a single source, or requests with file fields whose filenames end in .php, .phtml, .php5, or .phar, is a strong indicator of an upload attempt.

The most reliable signal is on the filesystem. Enumerate wp-content/uploads/king-addons/forms/ and flag any file with an executable PHP extension or whose content contains PHP tags (<?php), eval(, base64_decode(, system(, assert(, or passthru(). Legitimate form uploads in this directory should be documents or images, not scripts. Compare file modification timestamps against your patch date; any executable file written before the upgrade warrants investigation as a potential web shell. File integrity monitoring (FIM) on the uploads tree will catch new file creation in near real time.

Next, correlate suspicious upload requests with subsequent direct GET/POST requests to the newly created file path under /wp-content/uploads/king-addons/forms/, which is how an attacker triggers the planted shell. Requests to a randomly named .php file in that directory, particularly carrying command-like query strings or POST bodies, indicate active control of a web shell. On the server, watch for the PHP-FPM or Apache worker process spawning child processes such as sh, bash, cmd, powershell, whoami, or wget/curl; web servers should rarely fork shells, so endpoint detection and response (EDR) alerts on these parent-child relationships are high fidelity.

Finally, review WordPress for post-exploitation persistence: new administrator users, modified wp-config.php, unexpected scheduled tasks (wp_cron), and injected content in theme or plugin files. WordPress security plugins such as Wordfence include firewall rules and malware signatures for this vulnerability; ensure their rule sets are current. Retain and review at least 30 days of access logs, since scanning and exploitation of high-value WordPress plugin flaws often begins well before an organization is aware it is affected.