WordPress Plugin Vulnerabilities

King Addons for Elementor < 51.1.37 - Unauthenticated Arbitrary File Upload

Description

The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 51.1.36. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
king-addons
Fixed in 51.1.37

References

CVE
CVE-2025-6327
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/76dbd82d-60a4-40c8-8f66-6bbe45b4d199

Miscellaneous

Original Researcher
Najib Sinjari
Verified
No
WPVDB ID
404fab3f-cf5f-4c2c-8562-583459ff4d70

Timeline

Publicly Published
2025-10-21 (about 8 months ago)
Added
2025-10-29 (about 7 months ago)
Last Updated
2025-10-29 (about 7 months ago)

Other

Published
Title
Published
2025-02-17
Title
Everest Forms < 3.0.9.5 - Unauthenticated Arbitrary File Upload, Read, and Deletion
Published
2025-05-07
Title
BEAF < 4.6.11 - Authenticated (Admin+) Arbitrary File Upload
Published
2021-03-21
Title
WooCommerce Help Scout < 2.9.1 - Unauthenticated Arbitrary File Upload leading to RCE
Published
2014-08-01
Title
Anthology - Remote File Upload
Published
2025-09-25
Title
WP-DownloadManager < 1.69 - Authenticated (Admin+) Arbitrary File Upload