The Plus Addons for Elementor Pro < 5.0.7 - Unauthenticated SQL Injection
CVE-2021-24949

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: The Plus Addons For Elementor - Pro
Vendor: CVE Published:; 10 January 2022

Summary

The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection

Affected Version(s)

The Plus Addons for Elementor - Pro 5.0.4 < 5.0.4*

The Plus Addons for Elementor - Pro 5.0.7

References

https://roadmap.theplusaddons.com/updates

x_refsource_MISC

https://wpscan.com/vulnerability/9d7f8ba8-a5d5-4ec3-a48f-...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 10, 2022
Vulnerability Reserved
Jan 14, 2021

Credit

Nicolas Vidal from TEHTRIS