CVE-2026-48837 HIGH

CVE-2026-48837: WordPress Unlimited Elements For Elementor plugin <= 2.0.8 - SQL Injection vulnerability

Vendor Unlimited Elements
Product Unlimited Elements For Elementor
Weakness CWE-89 · SQLi
Published May 25, 2026
Last update May 26, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Unlimited Elements For Elementor allows Blind SQL Injection. This issue affects Unlimited Elements For Elementor: from n/a through 2.0.8.

Explanation of Vulnerability in Simple Terms

02Summary

Unlimited Elements For Elementor versions up to 2.0.8 contain a SQL injection vulnerability in a component that requires low-level authentication. An attacker with a user account can craft malicious input to read or modify database contents. The vulnerability affects the entire site scope and may allow unauthorized data access.

What an attacker can do

03Attacker Capabilities

Read or modify database records by injecting SQL commands through the vulnerable component.

Potential impact on your site

04Site Impact

Attackers with user accounts can access sensitive data or alter site content and settings via database manipulation.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site; no user interaction required.

Key dates

06Disclosure timeline

May 25, 2026 CVE published
May 26, 2026 Record updated