Skip to main content

Unlimited Elements For Elementor CVE-2026-48837

| EUVD-2026-31759 HIGH
SQL Injection (CWE-89)
2026-05-25 Patchstack GHSA-679r-jm2j-3cr6
SQLi Unlimited Elements For Elementor Elementor
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 09:22 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Unlimited Elements For Elementor allows Blind SQL Injection.

This issue affects Unlimited Elements For Elementor: from n/a through 2.0.8.

AnalysisAI

Blind SQL injection in the Unlimited Elements For Elementor WordPress plugin (versions up to and including 2.0.8) allows authenticated low-privilege attackers to inject arbitrary SQL into backend database queries. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 8.5 due to scope change and high confidentiality impact, though no public exploit identified at time of analysis and EPSS probability remains low at 0.03%. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privilege WordPress account
Delivery
Identify vulnerable plugin endpoint
Exploit
Send crafted SQLi payload in parameter
Install
Extract data via blind boolean/timing oracle
C2
Recover admin hash or session token
Execute
Authenticate as administrator
Impact
Full site compromise
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold an authenticated low-privilege WordPress account on a site running Unlimited Elements For Elementor at version 2.0.8 or earlier (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and favor a moderate rather than urgent priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers (or compromises) a low-privileged WordPress account such as a subscriber on a target site running Unlimited Elements For Elementor ≤2.0.8, then sends crafted parameters to a vulnerable plugin endpoint that concatenates input into an SQL query. Using boolean- or time-based blind techniques, the attacker exfiltrates wp_users password hashes, secret_keys, or session tokens one bit at a time, then escalates to administrator. …
Remediation No vendor-released patch identified at time of analysis from the provided data - administrators should monitor the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/unlimited-elements-for-elementor/vulnerability/wordpress-unlimited-elements-for-elementor-free-widgets-addons-templates-plugin-2-0-8-sql-injection-vulnerability) and the WordPress plugin repository for an update beyond 2.0.8 and apply it as soon as published. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all WordPress installations using Unlimited Elements For Elementor; identify current plugin versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48837 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy