Infosec News

freeroute

Critical flaw in WordPress add-on for Elementor exploited in attacks

Attackers are exploiting a critical-severity privilege escalation vulnerability (CVE-2025–8489) in the King Addons for Elementor plugin for WordPress, which lets them obtain administrative permissions during the registration process.

The threat activity started on October 31, just a day after the issue was publicly disclosed. So far, the Wordfence security scanner from Defiant, a company that provides security services for WordPress websites, has blocked more than 48,400 exploit attempts.

King Addons is a third-party add-on for Elementor, a popular visual page builder plugin for WordPress sites. It is used on roughly 10,000 websites, providing additional widgets, templates, and features.

CVE-2025–8489, discovered by researcher Peter Thaleikis, is a flaw in the plugin’s registration handler that allows anyone signing up to specify their user role on the website, including the administrator role, without enforcing any restrictions.

According to observations from Wordfence, attackers send a crafted ‘admin-ajax.php’ request specifying ‘user_role=administrator,’ to create rogue admin accounts on targeted sites.
The researchers noticed a peak in the exploitation activity between November 9 and 10, with two IP addresses being the most active: 45.61.157.120 (28,900 attempts) and 2602:fa59:3:424::1 (16,900 attempts).

Wordfence provides a more extensive list of offensive IP addresses and recommends that website administrators look for them in the log files. The presence of new administrator accounts is also a clear sign of compromise.

Website owners are advised to upgrade to version 51.1.35 of King Addons, which addresses CVE-2025–8489, released on September 25.

Wordfence researchers are also warning of another critical vulnerability in the Advanced Custom Fields: Extended plugin, active on more than 100,000 WordPress websites, which can be exploited by an unauthenticated attacker to execute code remotely.

The flaw affects versions 0.9.0.5 through 0.9.1.1 of the plugin and is currently tracked as CVE-2025-13486. It was discovered and reported responsibly by Marcin Dudek, the head of the national computer emergency response team (CERT) in Poland.

The vulnerability is "due to the function accepting user input and then passing that through call_user_func_array(),” Wordfence explains.

“This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.”

The security issue was reported on November 18, and the plugin vendor addressed it in version 0.9.2 of Advanced Custom Fields: Extended, released a day after receiving the vulnerability report.

Given that the flaw can be leveraged without authentication only through a crafted request, the public disclosure of technical details is likely to generate malicious activity.

Website owners are advised to move to the latest version as soon as possible or disable the plugin on their sites.

---

Source: https://www.bleepingcomputer.com/news/security/critical-flaw-in-wordpress-add-on-for-elementor-exploited-in-attacks/

cyclone

Massive 16 Terabyte Database With 4.3 Billion-Records Leaked

A massive unprotected MongoDB instance containing over 4.3 billion records and totaling roughly 16 TB of data was discovered exposed online. The dataset included highly structured professional and corporate intelligence data, much of it clearly scraped from LinkedIn and enriched through lead-generation pipelines. The exposed collections contained PII such as full names, emails, phone numbers, LinkedIn profile URLs, employment history, skills, education, location data, and even photographs.

The leak, uncovered by cybersecurity researcher Bob Diachenko on November 23rd, 2025, consisted of nine major collections. Three of those - profiles, unique_profiles, and people - alone contained nearly 2 billion individual PII-rich entries. The dataset also referenced an “Apollo ID”, suggesting potential linkage to Apollo-style sales intelligence ecosystems or enrichment tools.

The structured nature of the data, combined with its massive scale, makes it extremely attractive to threat actors. Attackers could weaponize the PII for targeted phishing, CEO fraud, corporate reconnaissance, credential stuffing, and AI-assisted social engineering at unprecedented volume. With up-to-date professional metadata, malicious operators can automatically craft convincing spear-phishing messages or build large internal mapping structures of corporate roles and contacts.

The exposed database was secured on November 25th, the day after responsible disclosure, but it is unknown how long it had been publicly accessible. Given the size and organization of the dataset, researchers warn that malicious parties may have already accessed it.

This exposure adds to a growing trend of massive, scraping-driven data leaks, which now routinely exceed billions of records and blur the line between legally scraped data and high-risk breach material.

---

Sources:

• https://cybernews.com/security/database-exposes-billions-records-linkedin-data/
• https://www.tomsguide.com/computing/online-security/4-3-billion-job-documents-left-unsecured-online-names-emails-phone-numbers-and-linkedin-data-exposed