CVE-2025-3863

The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the process_wbelps_promo_form() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the plugin’s support‐form handler to send arbitrary emails to the site’s support address.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/post-carousel-slider-for-elementor/tags/1.5.0/support-page/class-support-page.php#L28	Product
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3316424%40post-carousel-slider-for-elementor&new=3316424%40post-carousel-slider-for-elementor&sfp_email=&sfph_mail=	Patch
https://wordpress.org/plugins/post-carousel-slider-for-elementor/#developers	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/0b92afdf-51e0-4cf5-9f2b-997b9ff98b23?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:plugin-devs:post_carousel_slider_for_elementor:*:*:*:*:*:wordpress:*:*

History

03 Jul 2025, 17:09

Type	Values Removed	Values Added
CPE		cpe:2.3:a:plugin-devs:post_carousel_slider_for_elementor::::::wordpress::*
First Time		Plugin-devs post Carousel Slider For Elementor Plugin-devs
References	~~() https://plugins.trac.wordpress.org/browser/post-carousel-slider-for-elementor/tags/1.5.0/support-page/class-support-page.php#L28 -~~	() https://plugins.trac.wordpress.org/browser/post-carousel-slider-for-elementor/tags/1.5.0/support-page/class-support-page.php#L28 - Product
References	() https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3316424%40post-carousel-slider-for-elementor&new=3316424%40post-carousel-slider-for-elementor&sfp_email=&sfph_mail= -	() https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3316424%40post-carousel-slider-for-elementor&new=3316424%40post-carousel-slider-for-elementor&sfp_email=&sfph_mail= - Patch
References	~~() https://wordpress.org/plugins/post-carousel-slider-for-elementor/#developers -~~	() https://wordpress.org/plugins/post-carousel-slider-for-elementor/#developers - Product
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/0b92afdf-51e0-4cf5-9f2b-997b9ff98b23?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/0b92afdf-51e0-4cf5-9f2b-997b9ff98b23?source=cve - Third Party Advisory

26 Jun 2025, 18:57

Type	Values Removed	Values Added
Summary		(es) El complemento Post Carousel Slider para Elementor de WordPress es vulnerable a una autorización incorrecta debido a la falta de una comprobación de capacidad en la función process_wbelps_promo_form() en todas las versiones hasta la 1.6.0 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, activen el gestor del formulario de soporte del complemento para enviar correos electrónicos arbitrarios a la dirección de soporte del sitio.

26 Jun 2025, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-26 02:15

Updated : 2025-07-03 17:09

NVD link : CVE-2025-3863

Mitre link : CVE-2025-3863

CVE.ORG link : CVE-2025-3863

JSON object : View

Products Affected

plugin-devs

post_carousel_slider_for_elementor

CWE

CWE-862

Missing Authorization

4.3 /10