CVE-2025-10873
📋 TL;DR
The ElementInvader Addons for Elementor WordPress plugin before version 1.4.1 contains an authorization bypass vulnerability that allows unauthenticated attackers to send arbitrary emails to any email addresses. This affects all WordPress sites using vulnerable versions of this plugin. Attackers can abuse this to send spam, phishing emails, or conduct harassment campaigns.
💻 Affected Systems
- ElementInvader Addons for Elementor WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Mass spam/phishing campaigns launched from legitimate WordPress sites, damaging sender reputation and potentially enabling credential theft or malware distribution.
Likely Case
Spam email campaigns sent from compromised sites, potentially leading to blacklisting of the site's email server and reputation damage.
If Mitigated
Limited impact with proper email rate limiting and monitoring, though unauthorized email sending capability remains.
🎯 Exploit Status
WPScan provides technical details and the vulnerability is simple to exploit via crafted HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.1
Vendor Advisory: https://wpscan.com/vulnerability/2eb133db-e1c5-409e-94f8-b71edca5db16/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'ElementInvader Addons for Elementor'. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.4.1+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the ElementInvader Addons for Elementor plugin until patched.
wp plugin deactivate elementinvader-addons-for-elementor
Restrict access to wp-admin/admin-ajax.php
linuxImplement web application firewall rules to restrict unauthenticated access to the vulnerable endpoint.
# Example nginx location block:
location ~* /wp-admin/admin-ajax\.php$ {
allow 192.168.1.0/24;
deny all;
}
🧯 If You Can't Patch
- Deactivate the ElementInvader Addons for Elementor plugin immediately.
- Implement rate limiting on email sending functionality at the server level.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → ElementInvader Addons for Elementor → version number. If version < 1.4.1, vulnerable.Check Version:
wp plugin get elementinvader-addons-for-elementor --field=versionVerify Fix Applied:
Confirm plugin version is 1.4.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with 'action=elementinvader_addons_for_elementor_forms_send_form' from unauthenticated IPs
- Spike in email sending from WordPress site without corresponding form submissions
Network Indicators:
- HTTP POST requests to admin-ajax.php with the vulnerable action parameter from external IPs without authentication cookies
SIEM Query:
source="web_server" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="elementinvader_addons_for_elementor_forms_send_form" AND NOT cookie CONTAINS "wordpress_logged_in"