Blind SQL Injection Vulnerability in Unlimited Elements For Elementor
CVE-2024-5329

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Unlimited Elements For Elementor (free Widgets, Addons, Templates)
Vendor: CVE Published:; 6 June 2024

Summary

The Unlimited Elements for Elementor plugin on WordPress is susceptible to a blind SQL injection attack stemming from improper handling of the ‘data[addonID]’ parameter. This vulnerability affects all versions up to and including 1.5.109, allowing authenticated users with Contributor-level access or higher to manipulate existing SQL queries. By exploiting this flaw, attackers can inject additional SQL commands, potentially leading to unauthorized access to sensitive data stored in the database. This security weakness underscores the necessity for developers to implement proper input validation and query sanitization measures to safeguard against SQL injection risks.

Affected Version(s)

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) * <= 1.5.109

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/unlimited-elem...

https://plugins.trac.wordpress.org/changeset/3097249/#file6

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 6, 2024
Vulnerability Reserved
May 24, 2024

Credit

Khayal Farzaliyev