Skip to main content

Xpro Elementor Addons CVE-2026-45214

| EUVDEUVD-2026-29456 HIGH
SQL Injection (CWE-89)
2026-05-12 Patchstack GHSA-h67w-h28r-2hgc
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 11:32 vuln.today
CVE Published
May 12, 2026 - 11:02 nvd
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Blind SQL Injection.This issue affects Xpro Elementor Addons: from n/a through <= 1.5.1.

AnalysisAI

Blind SQL injection in Xpro Elementor Addons allows authenticated attackers to extract sensitive database contents including user credentials and site configurations. The vulnerability affects WordPress sites running plugin versions up to 1.5.1 and requires only low-privileged authenticated access (CVSS PR:L) with no user interaction. EPSS data not available, but the low attack complexity (AC:L) combined with changed scope (S:C) indicates potential for cross-boundary impact beyond the vulnerable plugin. No active exploitation confirmed in CISA KEV at time of analysis.

Technical ContextAI

This vulnerability exists in the Xpro Elementor Addons WordPress plugin (CPE: cpe:2.3:a:xpro:xpro_elementor_addons), a third-party extension for the Elementor page builder. The flaw is classified as CWE-89 (SQL Injection), specifically a blind variant where attackers cannot see direct query results but can infer data through timing attacks or conditional responses. Blind SQL injection occurs when user-supplied input is incorporated into SQL queries without proper sanitization or parameterization, allowing attackers to manipulate database logic. The WordPress plugin architecture commonly exposes AJAX handlers and REST API endpoints that process authenticated user input, and improper input validation in these handlers frequently leads to SQL injection vulnerabilities. The changed scope indicator (S:C) in the CVSS vector suggests the vulnerability may allow attackers to access resources outside the plugin's security boundary, potentially affecting the entire WordPress database including other plugins and core tables.

RemediationAI

Primary mitigation is to upgrade Xpro Elementor Addons to a patched version newer than 1.5.1 if available through the WordPress plugin repository or vendor channels. Check the official WordPress plugin page and Xpro website for update releases addressing CVE-2026-45214. If a patched version is not yet released or immediate patching is not feasible, implement compensating controls: restrict plugin access by removing Subscriber and Contributor role assignments on sites where these users don't require Elementor functionality, reducing the authenticated attacker pool; implement Web Application Firewall (WAF) rules to detect SQL injection patterns in requests to plugin endpoints, though blind SQLi can evade pattern matching; enable database query logging and monitor for unusual query patterns or timing anomalies that may indicate exploitation attempts, accepting the performance overhead; consider temporarily deactivating the plugin if Elementor addons functionality is not business-critical until a confirmed patch is available. Review the Patchstack advisory at the provided reference URL for vendor-specific guidance and confirmed fix versions as they become available.

Share

CVE-2026-45214 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy