{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2503", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-13T22:07:38.202Z", "datePublished": "2026-03-21T03:27:04.700Z", "dateUpdated": "2026-04-08T17:24:42.209Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:42.209Z"}, "affected": [{"vendor": "wpdive", "product": "ElementCamp", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.3.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[compare]' parameter in the 'tcg_select2_search_post' AJAX action in all versions up to, and including, 2.3.6. This is due to the user-supplied compare value being placed as an SQL operator in the query without validation against an allowlist of comparison operators. The value is passed through esc_sql(), but since the payload operates as an operator (not inside quotes), esc_sql() has no effect on payloads that don't contain quote characters. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "title": "ElementCamp <= 2.3.6 - Authenticated (Author+) SQL Injection via 'meta_query[compare]' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cfb09dcd-f8ec-4b0a-ae77-4b4b7b54c93b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/element-camp/tags/2.3.6/elementor/extender/tcg-select2.php#L65"}, {"url": "https://plugins.trac.wordpress.org/browser/element-camp/tags/2.3.6/elementor/extender/tcg-select2.php#L83"}, {"url": "https://plugins.trac.wordpress.org/browser/element-camp/trunk/elementor/extender/tcg-select2.php#L65"}, {"url": "https://plugins.trac.wordpress.org/browser/element-camp/trunk/elementor/extender/tcg-select2.php#L83"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2026-03-20T15:15:19.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:07:28.499190Z", "id": "CVE-2026-2503", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:53:58.491Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2503", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T15:07:28.499190Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:07:29.826Z"}}], "cna": {"title": "ElementCamp <= 2.3.6 - Authenticated (Author+) SQL Injection via 'meta_query[compare]' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "wpdive", "product": "ElementCamp", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.3.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:15:19.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cfb09dcd-f8ec-4b0a-ae77-4b4b7b54c93b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/element-camp/tags/2.3.6/elementor/extender/tcg-select2.php#L65"}, {"url": "https://plugins.trac.wordpress.org/browser/element-camp/tags/2.3.6/elementor/extender/tcg-select2.php#L83"}, {"url": "https://plugins.trac.wordpress.org/browser/element-camp/trunk/elementor/extender/tcg-select2.php#L65"}, {"url": "https://plugins.trac.wordpress.org/browser/element-camp/trunk/elementor/extender/tcg-select2.php#L83"}], "descriptions": [{"lang": "en", "value": "The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[compare]' parameter in the 'tcg_select2_search_post' AJAX action in all versions up to, and including, 2.3.6. This is due to the user-supplied compare value being placed as an SQL operator in the query without validation against an allowlist of comparison operators. The value is passed through esc_sql(), but since the payload operates as an operator (not inside quotes), esc_sql() has no effect on payloads that don't contain quote characters. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:42.209Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2503", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:24:42.209Z", "dateReserved": "2026-02-13T22:07:38.202Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:27:04.700Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[compare]' parameter in the 'tcg_select2_search_post' AJAX action in all versions up to, and including, 2.3.6. This is due to the user-supplied compare value being placed as an SQL operator in the query without validation against an allowlist of comparison operators. The value is passed through esc_sql(), but since the payload operates as an operator (not inside quotes), esc_sql() has no effect on payloads that don't contain quote characters. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}, {"lang": "es", "value": "El plugin ElementCamp para WordPress es vulnerable a inyecci\u00f3n SQL basada en tiempo a trav\u00e9s del par\u00e1metro 'meta_query[compare]' en la acci\u00f3n AJAX 'tcg_select2_search_post' en todas las versiones hasta la 2.3.6, inclusive. Esto se debe a que el valor de comparaci\u00f3n proporcionado por el usuario se coloca como un operador SQL en la consulta sin validaci\u00f3n contra una lista de permitidos de operadores de comparaci\u00f3n. El valor se pasa a trav\u00e9s de esc_sql(), pero dado que la carga \u00fatil opera como un operador (no dentro de comillas simples), esc_sql() no tiene efecto en cargas \u00fatiles que no contienen caracteres de comillas simples. Esto hace posible que atacantes autenticados, con acceso de nivel de Autor y superior, a\u00f1adan consultas SQL adicionales a consultas ya existentes que pueden usarse para extraer informaci\u00f3n sensible de la base de datos."}], "id": "CVE-2026-2503", "lastModified": "2026-04-24T16:27:44.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:17:09.407", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/element-camp/tags/2.3.6/elementor/extender/tcg-select2.php#L65"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/element-camp/tags/2.3.6/elementor/extender/tcg-select2.php#L83"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/element-camp/trunk/elementor/extender/tcg-select2.php#L65"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/element-camp/trunk/elementor/extender/tcg-select2.php#L83"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cfb09dcd-f8ec-4b0a-ae77-4b4b7b54c93b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ElementCamp", "source": "cna", "vendor": "wpdive"}, "product": "elementcamp", "vendor": "wpdive"}], "analysis": {"en": {"generated_at": "2026-03-21T07:12:13.598905+00:00", "value": {"mitigation_remediation": ["Upgrade ElementCamp to version 2.3.7 or newer.", "Confirm that the 'meta_query[compare]' parameter is validated against a whitelist of allowed operators.", "If a patch is not yet available, restrict the 'tcg_select2_search_post' AJAX endpoint to administrators or temporarily disable the plugin until a fix is released.", "Monitor database activity for unusual query patterns that may indicate exploitation."], "summary": {"action": "Immediate Patch", "impact": "Data Exfiltration"}, "threat_synthesis": {"affected_systems": "All installations of ElementCamp up to and including version 2.3.6 are affected. The vulnerability can be exploited by any user with author\u2011level or higher access on a WordPress site where the plugin is active.", "description_and_impact": "ElementCamp, a WordPress plugin, contains a time\u2011based SQL injection flaw in the 'meta_query[compare]' parameter used by the 'tcg_select2_search_post' AJAX action. The attacker can supply arbitrary SQL operators, which bypasses the esc_sql() filter because the payload is not quoted. This allows an authenticated user to append additional SQL statements and extract sensitive data from the database.", "risk_and_exploitability": "The base CVSS score of 6.5 indicates moderate severity. No EPSS score is available and there is no listing in the Known Exploited Vulnerabilities catalog. Because the flaw requires authenticated access, it is most likely to be used in targeted attacks against WordPress sites with the vulnerable plugin. The attack path is straightforward for users who already possess author\u2011level credentials."}}}}, "created": "2026-03-23T09:49:58.541287+00:00", "updated": "2026-03-25T14:41:38.526848+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdive", "wpdive$PRODUCT$elementcamp"]}