ElementInvader Addons for Elementor WordPress Plugin Missing Authorization Vulnerability Allowing Unauthenticated Arbitrary Email Sending

A vulnerability exists in the ElementInvader Addons for Elementor WordPress plugin in versions prior to 1.4.1. The issue arises from a lack of proper authorization on the 'elementinvader_addons_for_elementor_forms_send_form' action, allowing unauthenticated users to send arbitrary emails to any address. Exploitation involves submitting a contact form with fake data and intercepting the request to add specific parameters, including email details and a token that is only valid for one use.

Impact

Exploitation of this vulnerability allows for unauthorized email sending, which could be misused for phishing or spam.

Reproduction

To reproduce this vulnerability, first ensure the ElementInvader Addons for Elementor WordPress plugin is installed and active on a WordPress site. Then, open a page with the Eli Contact Form embedded using the Elementor Builder. Submit the form with dummy data to trigger the 'elementinvader_addons_for_elementor_forms_send_form' action. Intercept the request and add the necessary parameters, such as 'mail_data_subject', 'mail_data_to_email', 'mail_data_from_name', 'mail_data_from_email', 'usermail', and 'message_body'. Forward the modified request to send the email. The 'eli_token' parameter must be refreshed with each request, as it is tied to the request's IP address and User Agent.

Remediation

Users are advised to update the ElementInvader Addons for Elementor WordPress plugin to version 1.4.1 or later.