Description
The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the process_wbelps_promo_form() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the plugin’s support‐form handler to send arbitrary emails to the site’s support address.
Published: 2025-06-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Email Sending by Subscriber-Plus Users
Action: Apply Patch
AI Analysis

Impact

The vulnerability exists in the Post Carousel Slider for Elementor plugin where the process_wbelps_promo_form() function lacks a capability check. Authenticated users with Subscriber-level access or higher can invoke this function, allowing them to send arbitrary emails to the site’s support address. This does not provide code execution but enables spam, phishing, or targeted messaging from the server, which can undermine confidentiality and trust in the site’s communication channels.

Affected Systems

WordPress sites running Plugindevs’ Post Carousel Slider for Elementor plugin up to and including version 1.6.0 are affected. No other plugins or product versions are listed as impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in CISA’s KEV catalog. Attackers must be authenticated with a Subscriber or higher role, and they exploit the missing authorization check by invoking the support-form handler. The risk remains primarily the unauthorized use of the site’s email address for malicious messaging.

Generated by OpenCVE AI on April 28, 2026 at 01:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest version that includes the authorization check for process_wbelps_promo_form().
  • If an update is not immediately available, disable or remove the support‑form handler by removing the process_wbelps_promo_form() call or adding a capability requirement manually.
  • Ensure that any function which processes POST requests enforces proper capability checks to prevent privilege escalation (CWE‑862).

Generated by OpenCVE AI on April 28, 2026 at 01:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27936 The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the process_wbelps_promo_form() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the plugin’s support‐form handler to send arbitrary emails to the site’s support address.
History

Thu, 03 Jul 2025 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Plugin-devs
Plugin-devs post Carousel Slider For Elementor
CPEs cpe:2.3:a:plugin-devs:post_carousel_slider_for_elementor:*:*:*:*:*:wordpress:*:*
Vendors & Products Plugin-devs
Plugin-devs post Carousel Slider For Elementor

Thu, 26 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Jun 2025 02:15:00 +0000

Type Values Removed Values Added
Description The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the process_wbelps_promo_form() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the plugin’s support‐form handler to send arbitrary emails to the site’s support address.
Title Post Carousel Slider for Elementor <= 1.6.0 - Authenticated (Subscriber+) Missing Authorization via process_wbelps_promo_form Function
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Plugin-devs Post Carousel Slider For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:53.032Z

Reserved: 2025-04-21T18:21:33.204Z

Link: CVE-2025-3863

cve-icon Vulnrichment

Updated: 2025-06-26T13:27:36.450Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-26T02:15:20.200

Modified: 2025-07-03T17:09:19.293

Link: CVE-2025-3863

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:30:17Z

Weaknesses