Unlimited Elements for Elementor < 1.5.108 – Contributor+ SQLi | CVE 2024-4779 | Plugin Vulnerabilities

Description

The plugin is vulnerable to SQL Injection via the ‘data[post_ids][0]’ parameter due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Affects Plugins

unlimited-elements-for-elementor

Fixed in 1.5.108

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b155f8ca-9d09-47d7-a7c2-7744df029c19

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

M.Awad

Verified

No

WPVDB ID

3cc20f53-c14e-408b-b8f9-578e22d90f4e

Timeline

Publicly Published

2024-05-22 (about 1 year ago)

Added

2024-05-23 (about 1 year ago)

Last Updated

2024-05-23 (about 1 year ago)

Other

Published

Title

Published

2024-06-20

Title

Consulting Elementor Widgets < 1.3.1 - Authenticated (Contributor+) SQL Injection

Published

2025-10-28

Title

Thumbnail Slider With Lightbox < 1.0.5 - Authenticated (Admin+) SQL Injection

Published

2025-06-19

Title

AutomatorWP < 5.2.5 - Authenticated (Administrator+) SQL Injection

Published

2015-12-11

Title

Link Log < 2.1 - SQL Injection

Published

2014-08-01

Title

ActiveHelper LiveHelp Server 3.2.2 - server/import/tracker.php Multiple Parameter SQL Injection