– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-25028:
The vulnerability is a Missing Authorization flaw in the ElementInvader Addons for Elementor WordPress plugin, affecting versions up to and including 1.4.1. The flaw allows authenticated attackers with Subscriber-level access or higher to perform administrative actions, specifically accessing and manipulating form submission data. This constitutes a broken access control vulnerability with a CVSS score of 4.3.

Atomic Edge research identifies the root cause as the absence of capability checks and nonce verification in two AJAX handler functions within the plugin. The vulnerable functions are `eli_mails_datatable()` and `eli_mails_bulk_remove()` located in `/modules/mail_base/mail_base.php`. These functions were directly accessible via WordPress’s `admin-ajax.php` endpoint without verifying if the requesting user possesses the `administrator` capability or a valid nonce. The functions handle sensitive operations including retrieving stored form submission data and performing bulk deletion operations.

Exploitation requires an authenticated attacker with any valid WordPress user account, including the lowest-privilege Subscriber role. The attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to either `eli_mails_datatable` or `eli_mails_bulk_remove`. For the bulk removal function, the attacker must also include an `ids` parameter containing an array of database record IDs to delete. No nonce or special headers are required in the vulnerable version.

The patch in version 1.4.2 adds proper authorization checks to both vulnerable functions. The fix inserts two security measures at the beginning of each function: a capability check using `current_user_can(‘administrator’)` and a nonce verification using `check_ajax_referer(‘eli_secure_ajax’, ‘eli_secure’)`. These changes ensure only administrators with valid nonces can access the functions. The patch also adds a new Brevo API integration in `/modules/forms/ajax-handler.php` and modifies blog grid ordering logic, but these changes are unrelated to the authorization vulnerability.

Successful exploitation allows attackers to access all form submission data stored by the plugin, potentially exposing sensitive user information like email addresses, names, and custom form field data. Attackers can also delete submission records, causing data loss and disrupting business operations. The vulnerability does not provide direct remote code execution or privilege escalation to WordPress administrator, but it enables unauthorized data access and destruction at the application level.