– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-31413:
The Element Pack Lite plugin for Elementor, versions up to 8.3.13, contains a Cross-Site Request Forgery (CSRF) vulnerability in its contact form submission handler. This flaw allows unauthenticated attackers to trick authenticated users into performing unintended actions via forged requests.

Root Cause:
The vulnerability originates in the contact form module’s server-side request processing logic. In the file `bdthemes-element-pack-lite/modules/contact-form/module.php`, the function handling POST submissions performed an incorrect nonce validation check. The original code on line 93 used a logical AND (`&&`) operator to verify the nonce’s existence and validity. This faulty logic required the `_wpnonce` parameter to be both NOT set AND fail verification, a condition that could never be true. Consequently, the security check was effectively bypassed for all requests.

Exploitation:
An attacker can exploit this by crafting a malicious web page or link that submits a forged POST request to the WordPress site’s contact form endpoint. The request targets the plugin’s AJAX or form handler. The payload includes parameters for the contact form fields, such as name, email, and message, but omits the required `_wpnonce` parameter or provides an invalid one. When an administrator with appropriate privileges visits the attacker’s page, the forged request is sent from the victim’s browser, submitting unauthorized contact form data.

Patch Analysis:
The patch changes a single character in the conditional statement on line 93 of `module.php`. It replaces the logical AND operator (`&&`) with a logical OR operator (`||`). The corrected logic now properly validates that the request must have a `_wpnonce` parameter AND that the nonce verifies correctly for the `simpleContactForm` action. If either condition fails (nonce not set OR verification fails), the security check triggers, outputting a warning and terminating execution with `wp_die()`. This enforces the intended nonce validation.

Impact:
Successful exploitation allows attackers to submit arbitrary data through the site’s contact form. This can lead to spam injection, harassment of site administrators via forged messages, or data exfiltration if the form submissions are logged or emailed. The attack requires user interaction, typically social engineering an administrator to click a link, aligning with the CVSS score of 4.3 (Medium severity).