{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3863", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-21T18:21:33.204Z", "datePublished": "2025-06-26T02:06:32.222Z", "dateUpdated": "2026-04-08T16:34:53.032Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:53.032Z"}, "affected": [{"vendor": "plugindevs", "product": "Post Carousel Slider for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the process_wbelps_promo_form() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the plugin\u2019s support\u2010form handler to send arbitrary emails to the site\u2019s support address."}], "title": "Post Carousel Slider for Elementor <= 1.6.0 - Authenticated (Subscriber+) Missing Authorization via process_wbelps_promo_form Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b92afdf-51e0-4cf5-9f2b-997b9ff98b23?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-carousel-slider-for-elementor/tags/1.5.0/support-page/class-support-page.php#L28"}, {"url": "https://wordpress.org/plugins/post-carousel-slider-for-elementor/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3316424%40post-carousel-slider-for-elementor&new=3316424%40post-carousel-slider-for-elementor&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-06-25T13:45:39.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-26T13:27:30.645738Z", "id": "CVE-2025-3863", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-26T13:27:42.404Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3863", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-26T13:27:30.645738Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-26T13:27:36.450Z"}}], "cna": {"title": "Post Carousel Slider for Elementor <= 1.6.0 - Authenticated (Subscriber+) Missing Authorization via process_wbelps_promo_form Function", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "plugindevs", "product": "Post Carousel Slider for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.6.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-25T13:45:39.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b92afdf-51e0-4cf5-9f2b-997b9ff98b23?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-carousel-slider-for-elementor/tags/1.5.0/support-page/class-support-page.php#L28"}, {"url": "https://wordpress.org/plugins/post-carousel-slider-for-elementor/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3316424%40post-carousel-slider-for-elementor&new=3316424%40post-carousel-slider-for-elementor&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the process_wbelps_promo_form() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the plugin\u2019s support\u2010form handler to send arbitrary emails to the site\u2019s support address."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:53.032Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3863", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:34:53.032Z", "dateReserved": "2025-04-21T18:21:33.204Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-26T02:06:32.222Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:plugin-devs:post_carousel_slider_for_elementor:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "102C7718-0CF2-4F3C-958D-35C40983312A", "versionEndExcluding": "1.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the process_wbelps_promo_form() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the plugin\u2019s support\u2010form handler to send arbitrary emails to the site\u2019s support address."}, {"lang": "es", "value": "El complemento Post Carousel Slider para Elementor de WordPress es vulnerable a una autorizaci\u00f3n incorrecta debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n process_wbelps_promo_form() en todas las versiones hasta la 1.6.0 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, activen el gestor del formulario de soporte del complemento para enviar correos electr\u00f3nicos arbitrarios a la direcci\u00f3n de soporte del sitio."}], "id": "CVE-2025-3863", "lastModified": "2025-07-03T17:09:19.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-06-26T02:15:20.200", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/post-carousel-slider-for-elementor/tags/1.5.0/support-page/class-support-page.php#L28"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3316424%40post-carousel-slider-for-elementor&new=3316424%40post-carousel-slider-for-elementor&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/post-carousel-slider-for-elementor/#developers"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b92afdf-51e0-4cf5-9f2b-997b9ff98b23?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T01:18:47.203569+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to the latest version that includes the authorization check for process_wbelps_promo_form().", "If an update is not immediately available, disable or remove the support\u2011form handler by removing the process_wbelps_promo_form() call or adding a capability requirement manually.", "Ensure that any function which processes POST requests enforces proper capability checks to prevent privilege escalation (CWE\u2011862)."], "summary": {"action": "Apply Patch", "impact": "Arbitrary Email Sending by Subscriber-Plus Users"}, "threat_synthesis": {"affected_systems": "WordPress sites running Plugindevs\u2019 Post Carousel Slider for Elementor plugin up to and including version 1.6.0 are affected. No other plugins or product versions are listed as impacted.", "description_and_impact": "The vulnerability exists in the Post Carousel Slider for Elementor plugin where the process_wbelps_promo_form() function lacks a capability check. Authenticated users with Subscriber-level access or higher can invoke this function, allowing them to send arbitrary emails to the site\u2019s support address. This does not provide code execution but enables spam, phishing, or targeted messaging from the server, which can undermine confidentiality and trust in the site\u2019s communication channels.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers must be authenticated with a Subscriber or higher role, and they exploit the missing authorization check by invoking the support-form handler. The risk remains primarily the unauthorized use of the site\u2019s email address for malicious messaging."}}}}, "created": "2026-04-28T01:30:17.914182+00:00", "updated": "2026-04-28T01:30:17.914194+00:00", "vendors": []}