CVE-2025-3863
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to abuse the Post Carousel Slider for Elementor plugin's support form handler to send arbitrary emails to the site's support address. The issue stems from a missing capability check in the process_wbelps_promo_form() function. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Post Carousel Slider for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could spam the support email address, potentially causing denial-of-service through email flooding, or use the form to send phishing emails that appear to originate from the legitimate site support system.
Likely Case
Low-privileged users could send unwanted emails to the site administrator, causing minor disruption and potentially exposing support email addresses to spam.
If Mitigated
With proper email rate limiting and spam filtering, impact would be limited to occasional unwanted emails that can be filtered out.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple. The vulnerability is publicly disclosed with technical details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.6.0
Vendor Advisory: https://wordpress.org/plugins/post-carousel-slider-for-elementor/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Post Carousel Slider for Elementor'. 4. Click 'Update Now' if available, or manually update to latest version. 5. Verify plugin version is greater than 1.6.0.
🔧 Temporary Workarounds
Disable plugin temporarily
allDeactivate the vulnerable plugin until patched version is available
wp plugin deactivate post-carousel-slider-for-elementor
Restrict user registration
allTemporarily disable new user registration to limit potential attackers
wp option update users_can_register 0
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to the vulnerable endpoint
- Monitor email logs for unusual support form submissions and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins. If 'Post Carousel Slider for Elementor' version is 1.6.0 or lower, the site is vulnerable.Check Version:
wp plugin get post-carousel-slider-for-elementor --field=versionVerify Fix Applied:
After updating, verify plugin version is greater than 1.6.0 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of POST requests to /wp-admin/admin-ajax.php with action=wbelps_promo_form
- Multiple support form submissions from single user accounts
Network Indicators:
- HTTP POST requests containing 'action=wbelps_promo_form' parameter
SIEM Query:
source="wordpress.log" AND "action=wbelps_promo_form" | stats count by src_ip, user🔗 References
- https://plugins.trac.wordpress.org/browser/post-carousel-slider-for-elementor/tags/1.5.0/support-page/class-support-page.php#L28
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3316424%40post-carousel-slider-for-elementor&new=3316424%40post-carousel-slider-for-elementor&sfp_email=&sfph_mail=
- https://wordpress.org/plugins/post-carousel-slider-for-elementor/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0b92afdf-51e0-4cf5-9f2b-997b9ff98b23?source=cve
