This vulnerability arises from the plugin decrypting and trusting attacker‑controlled email_data in an unauthenticated AJAX handler without any cryptographic authenticity guarantees. The flaw allows an attacker to modify form email routing and redirection values through the email_data parameter, enabling the plugin to send email traffic on the site’s behalf and perform redirection to attacker‑controlled URLs. The impact is the potential for spam, phishing, or other malicious email distribution, compromising the site’s reputation and possibly facilitating further social engineering attacks. The weakness is classified as CWE‑345, Insufficient Verification of Data Authenticity. The plugin thus exposes the email infrastructure to unauthorized use.

The vulnerability affects the WordPress plugin "The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce" developed by PosimythThemes. All releases up to and including version 6.4.7 are impacted. Users running these older plugin versions on any WordPress site are susceptible.

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% shows a very low probability of exploitation at the time of this assessment. The vulnerability is not currently listed in the CISA KEV catalog, but should still be treated seriously because the attack vector is anonymous and requires no credentials. An unauthenticated attacker can trigger the vulnerable AJAX endpoint by sending crafted requests containing the email_data payload, leading to uncontrolled email relay and potential redirect abuse.