CVE-2024-6166
📋 TL;DR
This vulnerability allows authenticated attackers with Contributor-level access or higher in WordPress to perform time-based SQL injection attacks via the 'addons_order' parameter in the Unlimited Elements For Elementor plugin. Attackers can extract sensitive information from the database by injecting malicious SQL queries. Only WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Unlimited Elements For Elementor (Free Widgets, Addons, Templates) WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including extraction of sensitive user data, admin credentials, and potential privilege escalation leading to full site takeover.
Likely Case
Extraction of sensitive information from the database including user data, plugin settings, and potentially other WordPress table contents accessible via SQL injection.
If Mitigated
Limited impact if proper access controls restrict Contributor-level users from plugin settings, or if web application firewalls block SQL injection attempts.
🎯 Exploit Status
Exploitation requires authenticated access and specific permissions, but SQL injection techniques are well-documented and easily weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.113 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3112307/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Unlimited Elements For Elementor'. 4. Click 'Update Now' if available, or manually update to version 1.5.113+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Restrict Plugin Settings Access
allRemove plugin setting edit permissions from Contributor-level users and below
Navigate to WordPress Users → Roles → Contributor → Uncheck 'edit_plugins' capability
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
Navigate to WordPress Plugins → Installed Plugins → Deactivate 'Unlimited Elements For Elementor'
🧯 If You Can't Patch
- Implement strict user role management to prevent Contributor-level users from accessing plugin settings
- Deploy web application firewall with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Unlimited Elements For Elementor → Version number. If version is 1.5.112 or lower, you are vulnerable.Check Version:
wp plugin list --name='unlimited-elements-for-elementor' --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.5.113 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in WordPress debug logs
- Multiple failed authentication attempts followed by successful Contributor-level login
- Unusual database query patterns from WordPress user accounts
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with 'addons_order' parameter containing SQL syntax
- Unusual timing delays in plugin-related requests
SIEM Query:
source="wordpress_logs" AND ("addons_order" OR "unlimited-elements") AND ("sleep" OR "benchmark" OR "waitfor delay")🔗 References
- https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_addons.class.php#L79
- https://plugins.trac.wordpress.org/changeset/3112307/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9826c91c-0f6e-4d3b-bc14-4af6b60ef246?source=cve
- https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_addons.class.php#L79
- https://plugins.trac.wordpress.org/changeset/3112307/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9826c91c-0f6e-4d3b-bc14-4af6b60ef246?source=cve
