CVE-2025-10873 identifies a missing authorization vulnerability (CWE-862) in the ElementInvader Addons for Elementor WordPress plugin prior to version 1.4.1. The vulnerability stems from the lack of proper access control on the 'elementinvader_addons_for_elementor_forms_send_form' action, which handles form submissions for sending emails. Because the plugin does not verify whether the requestor is authorized, unauthenticated attackers can invoke this action to send arbitrary emails to arbitrary recipients. This can be leveraged to conduct spam campaigns, phishing attacks, or to damage the reputation of the affected website by sending malicious or misleading emails appearing to originate from a trusted domain. The vulnerability does not require authentication or user interaction, making it straightforward to exploit remotely. Although no public exploits have been reported yet, the flaw's nature suggests it could be weaponized quickly once discovered. The affected product is a popular addon for Elementor, a widely used WordPress page builder, increasing the potential attack surface. The vulnerability was reserved in September 2025 and published in November 2025, but no patch links are currently available, indicating that remediation may still be pending or in progress.

For European organizations, this vulnerability can lead to significant risks including unauthorized email sending that may facilitate phishing, spam distribution, and social engineering attacks targeting employees, customers, or partners. This can result in loss of customer trust, brand damage, and potential regulatory consequences under GDPR if personal data is exposed or misused. The ability to send arbitrary emails without authentication undermines the integrity and confidentiality of communications originating from affected websites. Additionally, organizations may face blacklisting of their email domains or IP addresses due to spam activities, impacting legitimate email deliverability. The vulnerability's ease of exploitation and lack of required user interaction increase the likelihood of widespread abuse. Organizations relying on WordPress sites with the vulnerable plugin, especially those in sectors like e-commerce, finance, and public services, are at heightened risk due to the critical nature of their communications and data.

Immediate mitigation involves updating the ElementInvader Addons for Elementor plugin to version 1.4.1 or later once it becomes available, as this version is expected to include proper authorization checks. Until an official patch is released, organizations should consider implementing custom access control measures such as restricting access to the vulnerable action via web application firewalls (WAFs) or server-side rules that block unauthenticated requests to the 'elementinvader_addons_for_elementor_forms_send_form' endpoint. Monitoring outgoing email traffic for unusual patterns can help detect exploitation attempts early. Additionally, organizations should audit their WordPress installations to identify the presence of this plugin and disable or remove it if not essential. Employing email authentication standards like SPF, DKIM, and DMARC can reduce the impact of spoofed emails sent through this vulnerability. Regular security assessments and plugin inventory management will help prevent similar risks in the future.