CVE-2026-5486 MEDIUM

CVE-2026-5486: Unlimited Elements For Elementor <= 2.0.7 - Authenticated (Contributor+) SQL Injection via 'filter_search' Parameter

Vendor Unitecms
Product Unlimited Elements For Elementor
Weakness CWE-89 · SQLi
Published May 14, 2026
Last update May 14, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to SQL Injection via the 'data[filter_search]' parameter in the get_cat_addons AJAX action in versions up to and including 2.0.7. This is due to insufficient input sanitization and the use of deprecated escaping functions combined with direct string concatenation in SQL query construction. The vulnerability is exacerbated because the normalizeAjaxInputData() function calls stripslashes() on all user input, removing the protection provided by WordPress's wp_magic_quotes() function. Subsequently, the filter_search parameter is escaped using the deprecated wpdb->_escape() function and then directly concatenated into a LIKE clause without using prepared statements. This makes it possible for authenticated attackers, with Contributor-level access and above (who can obtain a valid nonce through the Elementor editor), to inject arbitrary SQL commands and extract sensitive information from the database.

Explanation of Vulnerability in Simple Terms

02Summary

Unlimited Elements For Elementor versions 2.0.7 and earlier contain a SQL injection vulnerability accessible to authenticated users. An attacker with low-level site access can craft malicious input to read sensitive data from the site database. The vulnerability requires valid user credentials but no additional user interaction.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the site database using SQL injection.

Potential impact on your site

04Site Impact

Unauthorized database access and exposure of sensitive site data to authenticated attackers.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site.

Key dates

06Disclosure timeline

May 14, 2026 CVE published
May 14, 2026 Record updated