CVE-2026-2503

Name of the Vulnerable Software and Affected Versions ElementCamp plugin for WordPress versions prior to 2.3.7

Description The ElementCamp plugin for WordPress is susceptible to time-based SQL Injection. This occurs because user-provided data through the meta query[compare] parameter within the 'tcg select2 search post' AJAX action is incorporated into SQL queries without proper validation. The esc sql() function does not effectively sanitize the input when used as an SQL operator, allowing attackers to inject additional SQL queries. This could allow authenticated attackers with Author-level access or higher to extract sensitive information from the database.

Recommendations Update the ElementCamp plugin to version 2.3.7 or later.