EUVD-2026-14163
GHSA-95c6-28c3-2pjc
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[compare]' parameter in the 'tcg_select2_search_post' AJAX action in all versions up to, and including, 2.3.6. This is due to the user-supplied compare value being placed as an SQL operator in the query without validation against an allowlist of comparison operators. The value is passed through esc_sql(), but since the payload operates as an operator (not inside quotes), esc_sql() has no effect on payloads that don't contain quote characters. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Analysis
The ElementCamp plugin for WordPress contains a time-based SQL injection vulnerability in the 'tcg_select2_search_post' AJAX action through improper validation of the 'meta_query[compare]' parameter. Authenticated attackers with Author-level privileges or higher can inject arbitrary SQL operators to extract sensitive database information, as the vulnerable code places user-supplied comparison operators directly into SQL queries without allowlist validation, rendering esc_sql() ineffective for operator-level payloads. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running all and apply vendor patches as part of regular patch cycle. Validate input sanitization for user-controlled parameters.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today