CVE-2026-45214

Xpro · Xpro Addons — 140+ Widgets for Elementor

A Blind SQL Injection vulnerability in the Xpro Addons plugin for WordPress allows authenticated attackers to manipulate database queries.

Executive summary

A Blind SQL Injection vulnerability in Xpro Addons for Elementor allows authenticated attackers to potentially extract sensitive information from the underlying WordPress database.

Vulnerability

This vulnerability is a SQL Injection (CWE-89) flaw originating from improper input sanitization. Per the CVSS vector (PR:L), this attack requires an authenticated user with at least low-level privileges to successfully trigger the injection.

Business impact

Successful exploitation of this vulnerability could lead to the unauthorized disclosure of sensitive data stored within the WordPress database, including user credentials or configuration details. While the base CVSS score is 8.5, the requirement for authenticated access slightly lowers the immediate risk to unauthenticated external threats. However, if an attacker compromises a low-privileged account, they could leverage this flaw to escalate their impact significantly.

Remediation

Immediate Action: Update the Xpro Addons plugin to version 1.5.2 or later immediately to incorporate the vendor's security patch.

Proactive Monitoring: Monitor database query logs for anomalous, high-frequency, or suspicious SQL syntax patterns that may indicate automated injection attempts.

Compensating Controls: Ensure a Web Application Firewall (WAF) is configured with updated rulesets to detect and block common SQL injection payloads targeting WordPress plugins.

Exploitation status

Public Exploit Available: No (Exploit_available: false)

Analyst recommendation

Given the potential for data exfiltration, organizations utilizing this plugin must prioritize the update to version 1.5.2. Failure to patch may allow authenticated users to perform unauthorized database operations, placing the confidentiality and integrity of the application environment at risk.