Post Carousel Slider for Elementor < 1.7.0 – Authenticated (Subscriber+) Missing Authorization via process_wbelps_promo_form Function | CVE 2025-3863 | Plugin Vulnerabilities

Description

The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the process_wbelps_promo_form() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the plugin’s support‐form handler to send arbitrary emails to the site’s support address.

Affects Plugins

post-carousel-slider-for-elementor

Fixed in 1.7.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0b92afdf-51e0-4cf5-9f2b-997b9ff98b23

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Peter Thaleikis

Verified

No

WPVDB ID

321b470b-37b3-404a-ba6c-4238acd4ad5f

Timeline

Publicly Published

2025-06-25 (about 11 months ago)

Added

2025-06-25 (about 10 months ago)

Last Updated

2025-06-26 (about 10 months ago)

Other

Published

Title

Published

2025-04-04

Title

Course Booking System < 6.1.1 - Missing Authorization

Published

2025-01-09

Title

AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K) < 2.6 - Missing Authorization to Authenticated (Subscriber+) Settings Update

Published

2026-05-13

Title

GeoDirectory – WP Business Directory Plugin and Classified Listings Directory < 2.8.158 - Missing Authorization

Published

2025-03-31

Title

Swiss Toolkit For WP <= 1.4.3 - Missing Authorization

Published

2025-12-04

Title

Feedback Modal for Website <= 1.0.1 - Missing Authorization to Unauthenticated Arbitrary Feedback Data Exfiltration via 'export_data' Parameter