EUVD-2026-30214
GHSA-7q2p-8rmm-c8pg
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to SQL Injection via the 'data[filter_search]' parameter in the get_cat_addons AJAX action in versions up to and including 2.0.7. This is due to insufficient input sanitization and the use of deprecated escaping functions combined with direct string concatenation in SQL query construction. The vulnerability is exacerbated because the normalizeAjaxInputData() function calls stripslashes() on all user input, removing the protection provided by WordPress's wp_magic_quotes() function. Subsequently, the filter_search parameter is escaped using the deprecated wpdb->_escape() function and then directly concatenated into a LIKE clause without using prepared statements. This makes it possible for authenticated attackers, with Contributor-level access and above (who can obtain a valid nonce through the Elementor editor), to inject arbitrary SQL commands and extract sensitive information from the database.
AnalysisAI
SQL Injection in the Unlimited Elements for Elementor WordPress plugin (versions up to and including 2.0.7) allows authenticated attackers holding at least Contributor-level access to extract sensitive database contents by injecting arbitrary SQL into the 'data[filter_search]' parameter of the get_cat_addons AJAX action. The vulnerability is the product of two chained weaknesses: the plugin's normalizeAjaxInputData() function actively undoes WordPress's built-in magic-quote protection via stripslashes(), and the deprecated wpdb->_escape() method then fails to safely handle the exposed input before it is concatenated directly into a LIKE clause. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at least Contributor-level privileges - a role that must be explicitly assigned by a site administrator and is not granted to anonymous users or default subscribers. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately characterizes the technical severity: network-reachable, low complexity, no user interaction, with a High confidentiality impact enabling full database read. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has registered or compromised a Contributor-level account on a WordPress site running Unlimited Elements for Elementor ≤2.0.7 logs in, opens the Elementor editor to extract a valid nonce embedded in the page response, and then sends a crafted POST request to wp-admin/admin-ajax.php targeting the get_cat_addons action with a SQL-injected payload in data[filter_search]. Because the plugin strips WordPress's magic-quote escaping before applying the deprecated wpdb->_escape(), the payload survives sanitization and executes within the LIKE clause, enabling the attacker to enumerate database tables and extract credential hashes, email addresses, and configuration secrets. … |
| Remediation | The primary remediation is to update the Unlimited Elements for Elementor plugin to the latest available version beyond 2.0.7. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today