What the vulnerability does
01Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Unlimited Elements For Elementor allows Blind SQL Injection.
This issue affects Unlimited Elements For Elementor: from n/a through 2.0.8.
Explanation of Vulnerability in Simple Terms
02Summary
Unlimited Elements For Elementor versions up to 2.0.8 contain a SQL injection vulnerability in a component that requires low-level authentication. An attacker with a user account can craft malicious input to read or modify database contents. The vulnerability affects the entire site scope and may allow unauthorized data access.
What an attacker can do
03Attacker Capabilities
Read or modify database records by injecting SQL commands through the vulnerable component.
Potential impact on your site
04Site Impact
Attackers with user accounts can access sensitive data or alter site content and settings via database manipulation.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site; no user interaction required.
Key dates
06Disclosure timeline
May 25, 2026
CVE published
May 26, 2026
Record updated