PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-5486 Plugins CVE debrief

Unlimited Elements for Elementor for WordPress contains an authenticated SQL injection issue affecting versions up to and including 2.0.7. An attacker with Contributor-level access or higher may be able to abuse the get_cat_addons AJAX action to read sensitive database information, especially when they can obtain a valid Elementor nonce.

Vendor
Plugins
Product
Unknown
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-14
Advisory published
2026-05-14
Advisory updated
2026-05-14

Who should care

WordPress administrators, managed-hosting teams, and security owners running Unlimited Elements for Elementor version 2.0.7 or earlier, particularly sites that allow Contributor-level users or other non-admin content creators to access Elementor editor workflows.

Technical summary

The corpus attributes the flaw to the get_cat_addons AJAX action handling data[filter_search]. According to the advisory, normalizeAjaxInputData() applies stripslashes() to user input, which removes WordPress wp_magic_quotes() protection. The filter_search value is then passed through the deprecated wpdb->_escape() function and concatenated directly into a LIKE clause instead of being bound through prepared statements. That combination enables SQL injection from an authenticated request.

Defensive priority

Medium priority, with higher urgency on sites that expose Contributor-level or editor-level access to untrusted users and that store sensitive data in WordPress databases.

Recommended defensive actions

  • Confirm whether Unlimited Elements for Elementor is installed and treat version 2.0.7 and earlier as affected.
  • Apply the vendor update or replacement as soon as a fixed release is available; monitor the plugin advisory and WordPress plugin changelogs.
  • Restrict Contributor-level and Elementor editor access to trusted users only, and remove unnecessary accounts.
  • Audit web and application logs for suspicious requests to the get_cat_addons AJAX action and unusual database-related errors or responses.
  • If the plugin is not required, disable or remove it to reduce exposure; keep WordPress core and all plugins current.

Evidence notes

The supplied advisory text states the issue affects versions up to and including 2.0.7 and identifies the vulnerable path as data[filter_search] in the get_cat_addons AJAX action. The referenced source locations include unitecreator_actions.class.php, unitecreator_addons.class.php, provider_functions.class.php, and provider_db.class.php, along with a Wordfence write-up and the GitHub advisory record. The source item is marked advisoryType: unreviewed in the corpus, and no fixed version is provided there.

Official resources

The CVE and source advisory are both dated 2026-05-14 in the supplied corpus, with the GitHub advisory published at 06:31:32Z and NVD listing at 04:17:03Z the same day. The advisory is marked unreviewed in the corpus. No KEV listing is set.