CVE-2025-10873 is a vulnerability identified in the ElementInvader Addons for Elementor WordPress plugin, affecting all versions prior to 1.4.1. The root cause is a missing authorization check on the WordPress AJAX action 'elementinvader_addons_for_elementor_forms_send_form', which allows unauthenticated users to invoke this action and send arbitrary emails to arbitrary recipients. This vulnerability is categorized under CWE-862 (Missing Authorization), indicating that the plugin fails to verify whether the user has the necessary permissions before processing the email sending request. The vulnerability does not require any authentication or user interaction, making it remotely exploitable by anyone who can reach the affected WordPress site. The CVSS v3.1 base score is 5.3, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, limited confidentiality impact, and no impact on integrity or availability. The primary risk is that attackers can abuse the email sending functionality to send spam, phishing emails, or conduct social engineering attacks, potentially damaging the reputation of the affected organization and leading to blacklisting of their email domains. There are no known exploits in the wild at the time of publication, but the vulnerability is publicly disclosed and should be addressed promptly. No official patch links were provided, but upgrading to version 1.4.1 or later is recommended. The vulnerability affects WordPress sites using this plugin, which is an addon to the popular Elementor page builder plugin, widely used in Europe for website development.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and reputation of their email communications. Attackers can exploit the missing authorization to send arbitrary emails from the affected WordPress site without authentication, potentially leading to spam campaigns, phishing attacks, or email spoofing that appear to originate from a trusted domain. This can result in reputational damage, loss of customer trust, and possible blacklisting of the organization's email servers by spam filters. While the vulnerability does not directly impact data integrity or availability, the indirect effects on business operations and customer relations can be significant. Organizations in sectors with high reliance on email communications, such as finance, e-commerce, and public services, may face increased risk. Additionally, regulatory compliance under GDPR may be impacted if the abuse leads to personal data exposure or phishing attacks targeting EU citizens. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for future exploitation, especially as the vulnerability is publicly documented.

European organizations should immediately verify if their WordPress sites use the ElementInvader Addons for Elementor plugin and identify the version in use. The primary mitigation is to upgrade the plugin to version 1.4.1 or later, where the authorization check has been implemented. If upgrading is not immediately possible, organizations should implement web application firewall (WAF) rules to block or restrict access to the AJAX action 'elementinvader_addons_for_elementor_forms_send_form' from unauthenticated users or untrusted IP addresses. Monitoring outgoing email traffic for unusual patterns or spikes can help detect abuse attempts early. Additionally, organizations should review their email sending policies and SPF, DKIM, and DMARC records to reduce the risk of email spoofing and improve email authentication. Regular security audits of WordPress plugins and strict access controls on administrative interfaces are recommended to prevent similar vulnerabilities. Finally, educating website administrators about the importance of timely plugin updates and monitoring security advisories is critical to maintaining a secure environment.