CVE-2026-5486: SQL Injection in Unlimited Elements for Elementor

Successful exploitation of CVE-2026-5486 could allow an attacker to bypass authentication and gain unauthorized access to the WordPress database. This could lead to the exfiltration of sensitive user data, including usernames, passwords, email addresses, and potentially financial information if the site processes payments. An attacker could also modify or delete data, leading to website defacement or complete data loss. The vulnerability's impact is amplified by the widespread use of WordPress and Elementor, potentially affecting a large number of websites. The combination of insufficient sanitization and deprecated escaping functions makes this a particularly dangerous vulnerability.

1. Reservado2026-04-03
2. Publicada2026-05-13
3. Modificada2026-05-14

The primary mitigation for CVE-2026-5486 is to immediately upgrade the Unlimited Elements for Elementor plugin to version 2.0.8 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious SQL injection attempts targeting the getcataddons AJAX action and the data[filter_search] parameter. Carefully review and sanitize all user inputs within the plugin's code to prevent future vulnerabilities. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection payload via the affected parameter and verifying that it is properly sanitized.