Description
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to SQL Injection via the 'data[filter_search]' parameter in the get_cat_addons AJAX action in versions up to and including 2.0.7. This is due to insufficient input sanitization and the use of deprecated escaping functions combined with direct string concatenation in SQL query construction. The vulnerability is exacerbated because the normalizeAjaxInputData() function calls stripslashes() on all user input, removing the protection provided by WordPress's wp_magic_quotes() function. Subsequently, the filter_search parameter is escaped using the deprecated wpdb->_escape() function and then directly concatenated into a LIKE clause without using prepared statements. This makes it possible for authenticated attackers, with Contributor-level access and above (who can obtain a valid nonce through the Elementor editor), to inject arbitrary SQL commands and extract sensitive information from the database.
Published: 2026-05-14
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Unlimited Elements for Elementor plugin, a WordPress add‑on that extends Elementor’s functionality, contains a SQL injection flaw that can be triggered via the 'data[filter_search]' parameter in the get_cat_addons AJAX action. Because the plugin removes WordPress’s magic quotes and then uses deprecated escaping functions, the parameter is concatenated directly into a LIKE clause without proper sanitization, allowing an authenticated attacker with Contributor or higher privileges to inject arbitrary SQL and export sensitive data. This weakness corresponds to CWE‑89.

Affected Systems

Vendor unitecms, product Unlimited Elements for Elementor. Versions up to and including 2.0.7 are affected. WordPress sites running these releases are vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in CISA KEV, suggesting it is not a known actively exploited issue. The likely attack vector is interaction with the Elementor editor’s AJAX endpoint, which an authenticated Contributor or higher user can invoke with a valid nonce. No public exploitation reports exist, but the presence of the injection path means that a determined attacker could compromise the database if privileged access is available.

Generated by OpenCVE AI on May 14, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Unlimited Elements for Elementor plugin to the latest official release, ensuring the vendor has applied the fix for this SQL injection vulnerability.
  • If an immediate upgrade is not possible, restrict Contributor and higher roles from accessing the Elementor editor or disable the get_cat_addons AJAX endpoint so the vulnerable 'filter_search' parameter is no longer processed.
  • Deploy an application‑layer firewall rule that blocks suspicious SQL injection payloads on the get_cat_addons AJAX URL and monitor logs for anomalous activity.

Generated by OpenCVE AI on May 14, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Unitecms
Unitecms unlimited Elements For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Unitecms
Unitecms unlimited Elements For Elementor
Wordpress
Wordpress wordpress

Thu, 14 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description The Unlimited Elements for Elementor plugin for WordPress is vulnerable to SQL Injection via the 'data[filter_search]' parameter in the get_cat_addons AJAX action in versions up to and including 2.0.7. This is due to insufficient input sanitization and the use of deprecated escaping functions combined with direct string concatenation in SQL query construction. The vulnerability is exacerbated because the normalizeAjaxInputData() function calls stripslashes() on all user input, removing the protection provided by WordPress's wp_magic_quotes() function. Subsequently, the filter_search parameter is escaped using the deprecated wpdb->_escape() function and then directly concatenated into a LIKE clause without using prepared statements. This makes it possible for authenticated attackers, with Contributor-level access and above (who can obtain a valid nonce through the Elementor editor), to inject arbitrary SQL commands and extract sensitive information from the database.
Title Unlimited Elements For Elementor <= 2.0.7 - Authenticated (Contributor+) SQL Injection via 'filter_search' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Unitecms Unlimited Elements For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T10:48:08.982Z

Reserved: 2026-04-03T14:26:50.277Z

Link: CVE-2026-5486

cve-icon Vulnrichment

Updated: 2026-05-14T10:48:04.319Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T04:17:03.773

Modified: 2026-05-14T14:29:01.600

Link: CVE-2026-5486

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T05:30:12Z

Weaknesses