SecuriTricks - CVE-2026-2385

Description

The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.4.7. This is due to the plugin decrypting and trusting attacker-controlled email_data in an unauthenticated AJAX handler without cryptographic authenticity guarantees. This makes it possible for unauthenticated attackers to tamper with form email routing and redirection values to trigger unauthorized email relay and attacker-controlled redirection via the 'email_data' parameter.

Product(s) Impacted

Vendor	Product	Versions
Plus Addons	Plus Addons For Elementor	<6.4.7

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-345

Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	plus_addons	plus_addons_for_elementor	<6.4.7	/	/	/	/	wordpress	/	/

References

https://plugins.trac.wordpress.org/changeset/3463156/the-plus-addons-for-elementor-page-builder

https://www.wordfence.com/threat-intel/vulnerabilities/id/9176535c-8e37-4a18-b458-a71c4a84daa4?source=cve

CVSS Score

5.3 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

View Vector String

Timeline

Published: Feb. 22, 2026, 9:16 a.m.
Last Modified: Feb. 23, 2026, 6:13 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-2385