CVE-2026-2385 is a vulnerability classified under CWE-345 (Insufficient Verification of Data Authenticity) found in The Plus Addons for Elementor plugin, which provides additional widgets, page templates, mega menus, and WooCommerce integration for WordPress. The vulnerability exists because the plugin processes an 'email_data' parameter received via an unauthenticated AJAX handler by decrypting it without verifying its cryptographic authenticity. This lack of verification allows an attacker to craft malicious 'email_data' payloads that manipulate email routing and redirection values. Consequently, attackers can trigger unauthorized email relay, potentially sending emails through the victim's server, and cause redirection to attacker-controlled URLs. The vulnerability affects all versions up to and including 6.4.7. The CVSS v3.1 base score is 5.3 (medium), reflecting that the attack vector is network-based, requires no privileges or user interaction, and impacts integrity but not confidentiality or availability. No patches or known exploits are currently reported, but the risk lies in the potential misuse for spam, phishing, or redirecting users to malicious sites. The plugin’s wide usage in WordPress sites, especially those with WooCommerce, increases the attack surface. The root cause is the absence of cryptographic authenticity checks on decrypted data, violating secure coding practices for handling sensitive parameters in web applications.

The vulnerability enables attackers to manipulate email routing and redirection mechanisms without authentication, which can lead to unauthorized email relay. This can be exploited to send spam or phishing emails appearing to originate from legitimate sites, damaging organizational reputation and potentially leading to blacklisting of mail servers. Additionally, attacker-controlled redirection can facilitate drive-by downloads, credential theft, or malware distribution by redirecting users to malicious websites. While availability is not impacted, the integrity of email communications and user trust is compromised. Organizations relying on The Plus Addons for Elementor, especially e-commerce sites using WooCommerce, face increased risk of targeted phishing campaigns and brand abuse. The vulnerability’s exploitation could also aid in broader social engineering attacks. Given the plugin’s popularity in WordPress ecosystems, the scope of affected systems is significant, particularly for publicly accessible websites. The lack of authentication and user interaction requirements lowers the barrier for exploitation, increasing the likelihood of attacks if unpatched.

1. Immediately update The Plus Addons for Elementor plugin to a patched version once available from the vendor. 2. Until a patch is released, disable or restrict access to the AJAX handlers processing 'email_data' parameters, either by disabling affected plugin features or implementing web application firewall (WAF) rules to block suspicious requests. 3. Implement strict input validation and cryptographic verification on any decrypted data to ensure authenticity before processing. 4. Monitor outgoing email traffic for unusual patterns indicative of unauthorized relay. 5. Employ email authentication standards such as SPF, DKIM, and DMARC to reduce the impact of spoofed emails. 6. Educate users and administrators about phishing risks linked to this vulnerability. 7. Review and harden WordPress site security configurations, including limiting plugin permissions and isolating critical functionalities. 8. Conduct regular security audits and vulnerability scans focusing on WordPress plugins. 9. Consider deploying Content Security Policy (CSP) headers to mitigate the impact of malicious redirections. 10. Maintain backups and incident response plans to quickly address any exploitation attempts.