What the vulnerability does
01Description
The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[compare]' parameter in the 'tcg_select2_search_post' AJAX action in all versions up to, and including, 2.3.6. This is due to the user-supplied compare value being placed as an SQL operator in the query without validation against an allowlist of comparison operators. The value is passed through esc_sql(), but since the payload operates as an operator (not inside quotes), esc_sql() has no effect on payloads that don't contain quote characters. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Explanation of Vulnerability in Simple Terms
02Summary
ElementCamp versions 2.3.6 and earlier contain a SQL injection vulnerability in a database query that processes user input without proper sanitization. An authenticated user can craft a malicious request to extract sensitive data from the site's database, including user credentials and private content. The vulnerability requires valid login credentials to exploit.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the site database, including user credentials and private information.
Potential impact on your site
04Site Impact
User data, passwords, and private content may be exposed to any authenticated user, compromising site security and user privacy.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account on the site with at least low-level privileges.
Key dates
06Disclosure timeline
March 21, 2026
CVE published
April 8, 2026
Record updated
