CVE-2024-3927: CWE-424 Improper Protection of Alternate Path in bdthemes Element Pack – Widgets, Templates & Addons for Elementor
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Form Submission Admin Email Bypass in all versions up to, and including, 5.6.3. This is due to the plugin not properly checking for all variations of an administrators emails. This makes it possible for unauthenticated attackers to bypass the restriction using a +value when submitting the contact form.
AI Analysis
Technical Summary
The Element Pack Elementor Addons plugin for WordPress contains an improper protection of alternate path vulnerability (CWE-424) identified as CVE-2024-3927. The plugin fails to correctly check all variations of administrator email addresses, specifically allowing bypass via the use of a '+' character in the email local part during form submissions. This flaw permits unauthenticated attackers to circumvent restrictions intended to limit form submissions to administrators, potentially enabling unauthorized form submission actions. The vulnerability is present in all versions up to and including 5.6.3. The CVSS 3.1 base score is 5.3, reflecting a network attack vector with low complexity, no privileges required, no user interaction, and an impact limited to integrity.
Potential Impact
The vulnerability allows unauthenticated attackers to bypass administrator email restrictions on form submissions by exploiting improper validation of alternate email paths. This could lead to unauthorized form submissions that may affect the integrity of the form processing or workflow. There is no impact on confidentiality or availability according to the CVSS vector. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting form submission capabilities or implementing additional validation controls on email addresses to prevent bypass via '+' variations. Monitor official bdthemes communications for updates and apply patches promptly once available.
CVE-2024-3927: CWE-424 Improper Protection of Alternate Path in bdthemes Element Pack – Widgets, Templates & Addons for Elementor
Description
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Form Submission Admin Email Bypass in all versions up to, and including, 5.6.3. This is due to the plugin not properly checking for all variations of an administrators emails. This makes it possible for unauthenticated attackers to bypass the restriction using a +value when submitting the contact form.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Element Pack Elementor Addons plugin for WordPress contains an improper protection of alternate path vulnerability (CWE-424) identified as CVE-2024-3927. The plugin fails to correctly check all variations of administrator email addresses, specifically allowing bypass via the use of a '+' character in the email local part during form submissions. This flaw permits unauthenticated attackers to circumvent restrictions intended to limit form submissions to administrators, potentially enabling unauthorized form submission actions. The vulnerability is present in all versions up to and including 5.6.3. The CVSS 3.1 base score is 5.3, reflecting a network attack vector with low complexity, no privileges required, no user interaction, and an impact limited to integrity.
Potential Impact
The vulnerability allows unauthenticated attackers to bypass administrator email restrictions on form submissions by exploiting improper validation of alternate email paths. This could lead to unauthorized form submissions that may affect the integrity of the form processing or workflow. There is no impact on confidentiality or availability according to the CVSS vector. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting form submission capabilities or implementing additional validation controls on email addresses to prevent bypass via '+' variations. Monitor official bdthemes communications for updates and apply patches promptly once available.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-04-17T16:45:18.850Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6ca1b7ef31ef0b56700f
Added to database: 2/25/2026, 9:41:53 PM
Last enriched: 4/9/2026, 2:24:36 PM
Last updated: 4/12/2026, 9:25:17 AM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.