Incorrect sanitization of user input within the bdthemes Element Pack Elementor Addons plugin permits an attacker to inject malicious SQL into blind queries. This flaw allows read‑only access to the underlying database, potentially exposing sensitive information such as user credentials or content. The weakness is identified as CWE‑89: Improper Neutralization of Special Elements used in an SQL Command.

WordPress installations that have the bdthemes Element Pack Elementor Addons plugin version 8.4.2 or earlier are affected. The issue persists across all sites that have the vulnerable plugin installed, regardless of theme or additional plugins. All versions from the initial release through 8.4.2 share the same vulnerable code paths.

The EPSS score of <1% (approximately 0.00021) and the fact that it is not listed in the CISA KEV catalog indicate that no publicly documented exploitation has been reported to date. The vulnerability exists in a public endpoint of the plugin, which means an attacker could potentially send crafted HTTP requests to trigger blind SQL queries. However, the exact likelihood of successful exploitation cannot be determined from the available data. Sites that allow unauthenticated access to the plugin’s request handling endpoint may be more susceptible, but the report does not specify any authentication or role-based restrictions that could mitigate the risk. The CVSS score of 7.6 indicates high severity, suggesting that successful exploitation could enable attackers to retrieve sensitive database information.