Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Blind SQL Injection.This issue affects Xpro Elementor Addons: from n/a through <= 1.5.1.
Published: 2026-05-12
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an SQL Injection flaw in the Xpro Elementor Addons WordPress plugin, where special characters are improperly neutralized in database queries. A blind SQL Injection allows an attacker to execute arbitrary SQL commands and read sensitive data from the site’s database, potentially exposing user credentials, site content, or administrative information.

Affected Systems

The flaw affects the Xpro Elementor Addons plugin, version 1.5.1 and earlier. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. No EPSS score is available, so the current exploitation likelihood is unclear, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, via crafted HTTP requests to the vulnerable plugin, and it presumably does not require authentication to use the blind injection channel.

Generated by OpenCVE AI on May 12, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Xpro Elementor Addons to version 1.5.2 or later, which patches the SQL Injection flaw.
  • If an upgrade is not possible, remove the plugin entirely from the WordPress installation.
  • Deploy a Web Application Firewall or use query‑safety mechanisms to block suspicious SQL patterns before they reach the database.

Generated by OpenCVE AI on May 12, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Xpro
Xpro xpro Elementor Addons
Vendors & Products Wordpress
Wordpress wordpress
Xpro
Xpro xpro Elementor Addons

Tue, 12 May 2026 11:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Blind SQL Injection.This issue affects Xpro Elementor Addons: from n/a through <= 1.5.1.
Title WordPress Xpro Elementor Addons plugin <= 1.5.1 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
Xpro Xpro Elementor Addons
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T21:13:24.367Z

Reserved: 2026-05-11T14:11:52.757Z

Link: CVE-2026-45214

cve-icon Vulnrichment

Updated: 2026-05-12T21:13:19.816Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T11:16:20.853

Modified: 2026-05-12T14:03:52.757

Link: CVE-2026-45214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T15:30:18Z

Weaknesses