CVE-2024-4779

Name of the Vulnerable Software and Affected Versions The Unlimited Elements For Elementor plugin for WordPress versions up to, and including, 1.5.107

Description The issue allows authenticated attackers with contributor-level access and above to perform SQL Injection via the data[post ids][0] parameter due to insufficient escaping on user-supplied parameters and lack of sufficient preparation on existing SQL queries. This enables attackers to append additional SQL queries into already existing queries, potentially extracting sensitive information from the database.

Recommendations For versions up to, and including, 1.5.107, consider restricting access to the data[post ids][0] parameter until a patch is available. As a temporary workaround, limiting contributor-level access and above may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.