cleantalk
Vulnerabilities and Security Researches

The Plus Addons for Elementor, CVE-2026-2385

CVE, Research URL

CVE-2026-2385

Home page URL

Security reports for The Plus Addons for Elementor

Application

The Plus Addons for Elementor

Published on
Feb 22, 2026
Research Description
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.4.7. This is due to the plugin decrypting and trusting attacker-controlled email_data in an unauthenticated AJAX handler without cryptographic authenticity guarantees. This makes it possible for unauthenticated attackers to tamper with form email routing and redirection values to trigger unauthorized email relay and attacker-controlled redirection via the 'email_data' parameter.
Affected versions
max 6.4.8.
Status
vulnerable
Previous vulnerability researches
Video & Photo Gallery for Ultimate Member (CVE-2025-32121) , Apr 06, 2025
Video & Photo Gallery for Ultimate Member (CVE-2024-12162) , Dec 13, 2024
Video & Photo Gallery for Ultimate Member (CVE-2024-54370) , Dec 18, 2024
Video & Photo Gallery for Ultimate Member (CVE-2025-22672) , Feb 20, 2025
BuddyForms Ultimate Member (893cfcf44e3c079784f666e461a667cb4f6e2761) , Jun 06, 2024
New vulnerability
Gutena Forms – Contact Forms Block (CVE-2026-1674) , Apr 15, 2026
Video Conferencing with Zoom (CVE-2026-1368) , Apr 15, 2026
Custom Blocks Constructor – Lazy Blocks (CVE-2026-1560) , Apr 15, 2026
Happy Addons for Elementor (CVE-2026-2917) , Apr 15, 2026
Happy Addons for Elementor (CVE-2026-1210) , Apr 15, 2026