CVE-2025-10873

Vulnerability

Overview The ElementInvader Addons for Elementor WordPress plugin, versions prior to 1.4.1, contains a missing authorization vulnerability in the elementinvader_addons_for_elementor_forms_send_form action. This flaw allows unauthenticated users to trigger the sending of arbitrary emails to arbitrary addresses, as the action does not verify user permissions or nonces [1].

Exploitation

Details An attacker can exploit this vulnerability without any authentication by crafting a request to the vulnerable action endpoint. No special privileges or prior access are required, making the attack surface broad and easily accessible over the network. The lack of authorization checks means any visitor to a site running the vulnerable plugin can abuse the email sending functionality [1].

Impact

Successful exploitation enables an attacker to send emails from the affected WordPress site to any recipient. This can be used for phishing campaigns, spam distribution, or to exhaust server resources, potentially damaging the site's reputation and leading to blacklisting. The CVSS v3 score of 5.3 (Medium) reflects the moderate severity due to the lack of authentication requirements and the potential for abuse [1].

Mitigation

The vulnerability is fixed in version 1.4.1 of the plugin. Users are strongly advised to update to this version or later to prevent exploitation. No workarounds are mentioned in the advisory, so updating is the only recommended mitigation [1].