Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Blind SQL Injection.This issue affects Xpro Elementor Addons: from n/a through <= 1.5.1.
AnalysisAI
Blind SQL injection in Xpro Elementor Addons allows authenticated attackers to extract sensitive database contents including user credentials and site configurations. The vulnerability affects WordPress sites running plugin versions up to 1.5.1 and requires only low-privileged authenticated access (CVSS PR:L) with no user interaction. EPSS data not available, but the low attack complexity (AC:L) combined with changed scope (S:C) indicates potential for cross-boundary impact beyond the vulnerable plugin. No active exploitation confirmed in CISA KEV at time of analysis.
Technical ContextAI
This vulnerability exists in the Xpro Elementor Addons WordPress plugin (CPE: cpe:2.3:a:xpro:xpro_elementor_addons), a third-party extension for the Elementor page builder. The flaw is classified as CWE-89 (SQL Injection), specifically a blind variant where attackers cannot see direct query results but can infer data through timing attacks or conditional responses. Blind SQL injection occurs when user-supplied input is incorporated into SQL queries without proper sanitization or parameterization, allowing attackers to manipulate database logic. The WordPress plugin architecture commonly exposes AJAX handlers and REST API endpoints that process authenticated user input, and improper input validation in these handlers frequently leads to SQL injection vulnerabilities. The changed scope indicator (S:C) in the CVSS vector suggests the vulnerability may allow attackers to access resources outside the plugin's security boundary, potentially affecting the entire WordPress database including other plugins and core tables.
RemediationAI
Primary mitigation is to upgrade Xpro Elementor Addons to a patched version newer than 1.5.1 if available through the WordPress plugin repository or vendor channels. Check the official WordPress plugin page and Xpro website for update releases addressing CVE-2026-45214. If a patched version is not yet released or immediate patching is not feasible, implement compensating controls: restrict plugin access by removing Subscriber and Contributor role assignments on sites where these users don't require Elementor functionality, reducing the authenticated attacker pool; implement Web Application Firewall (WAF) rules to detect SQL injection patterns in requests to plugin endpoints, though blind SQLi can evade pattern matching; enable database query logging and monitor for unusual query patterns or timing anomalies that may indicate exploitation attempts, accepting the performance overhead; consider temporarily deactivating the plugin if Elementor addons functionality is not business-critical until a confirmed patch is available. Review the Patchstack advisory at the provided reference URL for vendor-specific guidance and confirmed fix versions as they become available.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29456
GHSA-h67w-h28r-2hgc