Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Blind SQL Injection.This issue affects ElementInvader Addons for Elementor: from n/a through <= 1.4.2.
Published: 2026-03-25
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Blind SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The Element Invader Addons for Elementor plugin contains an SQL injection flaw caused by improper neutralization of special elements in SQL commands. An attacker can send crafted input that bypasses input validation, leading to blind SQL injection, which allows extraction or modification of database contents and jeopardizes the confidentiality and integrity of the WordPress site.

Affected Systems

Any WordPress installation that includes Element Invader Addons for Elementor version 1.4.2 or earlier is affected. The vulnerability applies to all releases from the earliest available version up to and including 1.4.2.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, while the EPSS score of less than 1% suggests low current exploit prevalence; the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector is remote via web input to the plugin’s endpoints, meaning an adversary can trigger the flaw through normal site access without local privileges.

Generated by OpenCVE AI on March 26, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Element Invader Addons for Elementor to a version newer than 1.4.2.
  • If upgrading is not possible, remove the plugin entirely from the WordPress installation.
  • Ensure that the WordPress core and all other plugins are updated to their latest secure releases.

Generated by OpenCVE AI on March 26, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Elementinvader
Elementinvader elementinvader Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Elementinvader
Elementinvader elementinvader Addons For Elementor
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Blind SQL Injection.This issue affects ElementInvader Addons for Elementor: from n/a through <= 1.4.2.
Title WordPress ElementInvader Addons for Elementor plugin <= 1.4.2 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Elementinvader Elementinvader Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:07.658Z

Reserved: 2026-01-28T09:51:50.022Z

Link: CVE-2026-25007

cve-icon Vulnrichment

Updated: 2026-03-26T19:10:23.056Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:41.600

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25007

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:13Z

Weaknesses