CVE-2026-2385

Name of the Vulnerable Software and Affected Versions The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress versions through 6.4.7

Description The software contains a flaw due to insufficient verification of data authenticity. The plugin decrypts and trusts attacker-controlled email data in an unauthenticated AJAX handler without cryptographic authenticity guarantees. This allows attackers to manipulate form email routing and redirection values, potentially triggering unauthorized email relay and redirection via the email data parameter. The affected component is an AJAX handler.

Recommendations Update to version 6.4.8 or later.