King Addons for Elementor plugin allows an attacker to upload a file of any type, including a web shell, to the web server. This violation of file type validation (CWE-434) can lead to execution of arbitrary code, providing full system compromise for the vulnerable site. The impact includes loss of confidentiality, integrity, and availability as an attacker can upload malicious content and later run it on the server.

WordPress sites running KingAddons.com’s King Addons for Elementor plugin version 51.1.36 or earlier are affected. The vulnerability applies to all prior releases through 51.1.36.

The CVSS score of 10 marks this as critical. The EPSS score of less than 1% suggests a low probability of exploitation, yet the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires access to the plugin’s upload interface, which typically needs administrative or equivalent privileges. Once a file is uploaded, an attacker can execute it as the web server user, leading to full site compromise. Due to the high severity and the persistence of the flaw until a patch is applied, the risk to any affected installation is high and the attack vector is inferred to be an authenticated administrative access to the WordPress backend.