CVE-2026-2385
📋 TL;DR
This vulnerability allows unauthenticated attackers to manipulate email routing and redirection in the The Plus Addons for Elementor WordPress plugin. Attackers can trigger unauthorized email relay and redirect users to malicious sites. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could redirect all form submissions to malicious sites, intercept sensitive user data, and use the site for phishing campaigns or malware distribution.
Likely Case
Attackers will manipulate form submissions to redirect users to phishing pages or spam sites, potentially compromising user credentials and site reputation.
If Mitigated
With proper web application firewalls and monitoring, attacks would be detected and blocked before causing significant damage.
🎯 Exploit Status
The vulnerability is in an unauthenticated AJAX handler, making exploitation straightforward without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.8 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3463156/the-plus-addons-for-elementor-page-builder
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Go to Plugins → Installed Plugins
3. Find 'The Plus Addons for Elementor'
4. Click 'Update Now' if available
5. If not, download version 6.4.8+ from WordPress.org and manually update
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allBlock access to the vulnerable AJAX handler via web application firewall or .htaccess rules
# Add to .htaccess:
RewriteCond %{QUERY_STRING} email_data [NC]
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
🧯 If You Can't Patch
- Disable the The Plus Addons for Elementor plugin immediately
- Implement strict WAF rules to block requests containing 'email_data' parameter in AJAX calls
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → The Plus Addons for Elementor → Version numberCheck Version:
wp plugin list --name='the-plus-addons-for-elementor' --field=versionVerify Fix Applied:
Verify plugin version is 6.4.8 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with email_data parameter
- Multiple redirects from form submissions to external domains
Network Indicators:
- Outbound connections to unexpected domains after form submissions
- Spike in email traffic from WordPress site
SIEM Query:
source="wordpress.log" AND uri="/wp-admin/admin-ajax.php" AND params.email_data EXISTS