CVE-2026-2385 is a vulnerability identified in The Plus Addons for Elementor plugin, which provides additional widgets, page templates, mega menus, and WooCommerce integration for WordPress sites. The vulnerability stems from insufficient verification of data authenticity (CWE-345) in an unauthenticated AJAX handler that processes the 'email_data' parameter. This parameter is decrypted and trusted without cryptographic authenticity guarantees, allowing attackers to tamper with email routing and redirection values. Because the AJAX handler is unauthenticated and accessible over the network, attackers can exploit this flaw to trigger unauthorized email relay, potentially using the vulnerable site as a spam relay, and to perform attacker-controlled redirections, which could facilitate phishing or redirect users to malicious sites. The vulnerability affects all versions up to and including 6.4.7 of the plugin. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the lack of confidentiality or availability impact but acknowledging the integrity impact and ease of exploitation. No patches or known exploits are currently reported, but the risk remains significant due to the plugin's popularity and the unauthenticated nature of the flaw.

The primary impact of CVE-2026-2385 is on the integrity of email routing and redirection mechanisms within WordPress sites using The Plus Addons for Elementor plugin. Attackers can manipulate email parameters to relay unauthorized emails, potentially leading to the site being used for spam campaigns or phishing attacks, which can damage the site's reputation and lead to blacklisting by email providers. Additionally, attacker-controlled redirection can facilitate phishing or malware distribution by redirecting legitimate users to malicious sites. While confidentiality and availability are not directly affected, the integrity compromise can have downstream effects on user trust and organizational reputation. Organizations relying on this plugin for e-commerce or customer communications may face increased risk of fraud, customer data exposure through phishing, and operational disruptions due to blacklisting or loss of customer confidence.

Organizations should immediately update The Plus Addons for Elementor plugin to a patched version once available. In the absence of an official patch, administrators should disable or restrict access to the vulnerable AJAX handler to prevent unauthenticated requests. Implementing web application firewall (WAF) rules to detect and block suspicious 'email_data' parameter manipulations can reduce exploitation risk. Monitoring outgoing email traffic for unusual patterns or volumes can help detect unauthorized email relay attempts. Site owners should also audit redirection logic and implement strict validation and allowlisting of redirection URLs. Employing cryptographic verification methods such as HMAC or digital signatures for sensitive AJAX parameters can prevent tampering. Regular security assessments and plugin updates are critical to maintaining a secure WordPress environment.