A critical vulnerability in the KingComposer page builder plugin for WordPress, along with its associated King Addons, is under active exploitation. Threat actors are leveraging the flaw to create unauthorized administrator accounts on vulnerable websites, granting them full control over the compromised installations.

The vulnerability was identified by security researchers who observed a significant number of attacks targeting the plugin. The active exploitation campaigns have led to complete site takeovers.

Vulnerability Details and Exploitation Method

The security flaw is an Unauthenticated Arbitrary Options Update vulnerability. This type of flaw permits an unauthenticated attacker to modify any setting within the WordPress options table. In this specific campaign, attackers target two key settings. First, they enable the ‘users_can_register’ option to allow open user registration. Second, they set the ‘default_role’ option to ‘administrator’.

By manipulating these two settings, attackers can simply navigate to the standard WordPress registration page and create a new user account that is automatically granted full administrative privileges. This entire process requires no prior authentication, making any site with the unpatched plugin an easy target.

Active Attacks and Indicators of Compromise

Cybersecurity firm Wordfence reported blocking a large volume of attacks targeting this vulnerability across its network. The primary goal of the attackers, after gaining administrative access, is to establish persistence. Attackers have been observed installing malicious plugins to serve as backdoors. One such plugin consistently seen in these attacks is named “seplugins”. Website administrators are advised to scan their sites for unrecognized administrator accounts and plugins with suspicious names.

The developers of the KingComposer plugin have released a patched version to address the vulnerability. Users of the plugin were urged to update to the latest version immediately to protect their websites from these ongoing attacks. Checking for unfamiliar admin users in the WordPress dashboard is a critical first step for remediation.

Source: https://thehackernews.com/2025/12/wordpress-king-addons-flaw-under-active.html