Time-Based SQL Injection Vulnerability in Unlimited Elements For Elementor
CVE-2024-3055

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Unlimited Elements For Elementor (free Widgets, Addons, Templates)
Vendor: CVE Published:; 14 May 2024

Summary

The Unlimited Elements For Elementor plugin for WordPress is susceptible to time-based SQL Injection through the ‘id’ parameter across all releases up to and including version 1.5.102. This vulnerability arises from inadequate escaping of the user-supplied parameter alongside ineffective preparation of SQL queries. As a result, authenticated attackers with contributor access or higher can inject additional SQL commands into existing queries. This exploitation may permit attackers to retrieve sensitive data from the database, posing significant risks to the integrity and confidentiality of user information.

Affected Version(s)

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) * <= 1.5.102

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/unlimited-elem...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
Mar 28, 2024

Credit

wesley