CVE-2025-3863

MEDIUM 4.3

Post Carousel Slider for Elementor <= 1.6.0 - Authenticated (Subscriber+) Missing Authorization via process_wbelps_promo_form Function

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the process_wbelps_promo_form() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the plugin’s support‐form handler to send arbitrary emails to the site’s support address.

CWE	CWE-862
Vendor	plugindevs
Product	post carousel slider for elementor
Published	Jun 26, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for plugindevs post carousel slider for elementor

Be the first to know when new medium vulnerabilities affecting plugindevs post carousel slider for elementor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

plugindevs / Post Carousel Slider for Elementor

0 ≤ 1.6.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/0b92afdf-51e0-4cf5-9f2b-997b9ff98b23?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/post-carousel-slider-for-elementor/tags/1.5.0/support-page/class-support-page.php#L28 wordpress.org: https://wordpress.org/plugins/post-carousel-slider-for-elementor/#developers plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3316424%40post-carousel-slider-for-elementor&new=3316424%40post-carousel-slider-for-elementor&sfp_email=&sfph_mail=

Credits

Peter Thaleikis