The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce < 6.4.8 – Unauthenticated Email Relay | CVE 2026-2385 | Plugin Vulnerabilities

Description

The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.4.7. This is due to the plugin decrypting and trusting attacker-controlled email_data in an unauthenticated AJAX handler without cryptographic authenticity guarantees. This makes it possible for unauthenticated attackers to tamper with form email routing and redirection values to trigger unauthorized email relay and attacker-controlled redirection via the 'email_data' parameter.

Affects Plugins

the-plus-addons-for-elementor-page-builder

Fixed in 6.4.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9176535c-8e37-4a18-b458-a71c4a84daa4

Classification

Type

CONTENT INJECTION

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Quốc Huy (jtwings)

Verified

No

WPVDB ID

f7661dc4-c03f-4fbd-882e-86d5d4a39583

Timeline

Publicly Published

2026-02-21 (about 2 months ago)

Added

2026-02-21 (about 2 months ago)

Last Updated

2026-02-22 (about 2 months ago)

Other

Published

Title

Published

2021-07-12

Title

Frontend File Manager < 18.3 - Unauthenticated HTML Injection

Published

2026-04-29

Title

Five Star Restaurant Reservations < 2.7.17 - Unauthenticated Payment Bypass via PHP Type Juggling in 'payment_id' Parameter

Published

2022-11-29

Title

Quiz and Survey Master < 8.0.5 - Improper Input Validation

Published

2025-01-03

Title

Poll Maker < 5.5.5 - Unauthenticated HTML Injection

Published

2026-04-06

Title

Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More < 1.8.10 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook