Description
The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[compare]' parameter in the 'tcg_select2_search_post' AJAX action in all versions up to, and including, 2.3.6. This is due to the user-supplied compare value being placed as an SQL operator in the query without validation against an allowlist of comparison operators. The value is passed through esc_sql(), but since the payload operates as an operator (not inside quotes), esc_sql() has no effect on payloads that don't contain quote characters. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-03-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Exfiltration
Action: Immediate Patch
AI Analysis

Impact

ElementCamp, a WordPress plugin, contains a time‑based SQL injection flaw in the 'meta_query[compare]' parameter used by the 'tcg_select2_search_post' AJAX action. The attacker can supply arbitrary SQL operators, which bypasses the esc_sql() filter because the payload is not quoted. This allows an authenticated user to append additional SQL statements and extract sensitive data from the database.

Affected Systems

All installations of ElementCamp up to and including version 2.3.6 are affected. The vulnerability can be exploited by any user with author‑level or higher access on a WordPress site where the plugin is active.

Risk and Exploitability

The base CVSS score of 6.5 indicates moderate severity. No EPSS score is available and there is no listing in the Known Exploited Vulnerabilities catalog. Because the flaw requires authenticated access, it is most likely to be used in targeted attacks against WordPress sites with the vulnerable plugin. The attack path is straightforward for users who already possess author‑level credentials.

Generated by OpenCVE AI on March 21, 2026 at 07:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ElementCamp to version 2.3.7 or newer.
  • Confirm that the 'meta_query[compare]' parameter is validated against a whitelist of allowed operators.
  • If a patch is not yet available, restrict the 'tcg_select2_search_post' AJAX endpoint to administrators or temporarily disable the plugin until a fix is released.
  • Monitor database activity for unusual query patterns that may indicate exploitation.

Generated by OpenCVE AI on March 21, 2026 at 07:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdive
Wpdive elementcamp
Vendors & Products Wordpress
Wordpress wordpress
Wpdive
Wpdive elementcamp

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[compare]' parameter in the 'tcg_select2_search_post' AJAX action in all versions up to, and including, 2.3.6. This is due to the user-supplied compare value being placed as an SQL operator in the query without validation against an allowlist of comparison operators. The value is passed through esc_sql(), but since the payload operates as an operator (not inside quotes), esc_sql() has no effect on payloads that don't contain quote characters. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title ElementCamp <= 2.3.6 - Authenticated (Author+) SQL Injection via 'meta_query[compare]' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpdive Elementcamp
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:42.209Z

Reserved: 2026-02-13T22:07:38.202Z

Link: CVE-2026-2503

cve-icon Vulnrichment

Updated: 2026-03-23T15:07:29.826Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T04:17:09.407

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-2503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:41:38Z

Weaknesses