CVE-2025-3863

Name of the Vulnerable Software and Affected Versions: The Post Carousel Slider for Elementor plugin for WordPress versions prior to 1.6.1

Description: The issue is related to improper authorization due to a missing capability check on the process wbelps promo form() function. This allows authenticated attackers with Subscriber-level access and above to trigger the plugin’s support-form handler, enabling them to send arbitrary emails to the site’s support address.

Recommendations: For versions up to and including 1.6.0, update to version 1.6.1 or later to resolve the issue. As a temporary workaround, consider disabling the process wbelps promo form() function until a patch is available.