SQL Injection Vulnerability in Unlimited Elements for Elementor Plugin by WordPress
CVE-2026-5486

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Unlimited Elements For Elementor
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-5486?

The Unlimited Elements for Elementor plugin for WordPress allows authenticated attackers to exploit SQL injection vulnerabilities via the 'data[filter_search]' parameter in the get_cat_addons AJAX action. The flaw arises from inadequate input sanitization and the obsolete escaping functions that are used with direct string concatenation in SQL queries. The attack vector is aggravated by the normalizeAjaxInputData() function, which strips necessary escape characters from user inputs, negating the protections that WordPress typically provides. As a result, attackers with Contributor-level access can execute arbitrary SQL commands, potentially leading to the extraction of sensitive data from the database.

Affected Version(s)

Unlimited Elements For Elementor 0 <= 2.0.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/unlimited-elem...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 3, 2026

Credit

Nguyen Truong

CVE-2026-5486 Data

JSON