Attack Vectors

CVE-2026-2385 is a Medium severity vulnerability (CVSS 5.3) affecting The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin (the-plus-addons-for-elementor-page-builder) in versions up to and including 6.4.7.

Because the issue is reachable via an unauthenticated AJAX handler, an attacker does not need a WordPress account to attempt exploitation over the internet (CVSS vector: AV:N/AC:L/PR:N/UI:N). In practical terms, this can enable outsiders to manipulate how certain form-related email actions behave—potentially using your site as an email relay and to force attacker-controlled redirection values.

Security Weakness

The reported weakness is Insufficient Verification of Data Authenticity. According to the advisory, the plugin decrypts and then trusts attacker-controlled email_data in an unauthenticated endpoint without cryptographic authenticity guarantees. That means data may be modified in transit (or provided directly by an attacker) and still be treated as valid by the plugin.

As a result, key values related to form email routing and redirection may be tampered with, enabling unauthorized email relay behavior and attacker-controlled redirection through the affected workflow.

Remediation: Update The Plus Addons for Elementor to version 6.4.8 or newer (patched). Reference: CVE-2026-2385 and the vendor/community write-up at Wordfence Threat Intel.

Technical or Business Impacts

Email deliverability and brand risk: Unauthorized email relay can lead to outbound spam-like traffic from your domain or infrastructure, increasing the likelihood of mail provider blocks, domain reputation damage, and marketing email deliverability problems. This can directly impact campaign performance and revenue.

Customer trust and conversion risk: If attacker-controlled redirection is possible in your forms, visitors could be sent to unexpected destinations after submitting information. Even if no data is stolen, this can undermine trust, harm conversion rates, and create reputational fallout if customers report being redirected to suspicious pages.

Operational and compliance impact: Incident response effort (investigation, cleanup, communications) can disrupt marketing and sales operations. Compliance teams may also need to assess whether any user journeys, consent flows, or user communications were impacted by misdirected form handling.

Similar attacks (real examples): Email-routing and unauthenticated abuse patterns have shown up across the WordPress ecosystem and beyond, including (1) a widely exploited WordPress supply-chain compromise used to deliver malware via plugin updates: BleepingComputer coverage; (2) a large-scale SEO spam and redirect campaign that abused WordPress sites to send visitors to attacker-controlled destinations: Sucuri analysis.