CVE-2026-40745 - Vulnerability Details - OpenCVE

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection.This issue affects Element Pack Elementor Addons: from n/a through <= 8.4.2.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Key SSVC decision points have not yet been added.

Vendors	Products
Bdthemes	Element Pack Elementor Addons
Wordpress	Wordpress

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Bdthemes	Element Pack Elementor Addons
Wordpress	Wordpress

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/bdthemes-element-pack-lite/vulnerability/wordpress-element-pack-elementor-addons-plugin-8-4-2-sql-injection-vulnerability?_s_id=cve

History

Wed, 15 Apr 2026 13:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bdthemes Bdthemes element Pack Elementor Addons Wordpress Wordpress wordpress
Vendors & Products		Bdthemes Bdthemes element Pack Elementor Addons Wordpress Wordpress wordpress

Wed, 15 Apr 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection.This issue affects Element Pack Elementor Addons: from n/a through <= 8.4.2.
Title		WordPress Element Pack Elementor Addons plugin <= 8.4.2 - SQL Injection vulnerability
Weaknesses		CWE-89
References		https://patchstack.com/database/Wordpress/Plugin/bdthemes-element-pack-lite/vulnerability/wordpress-element-pack-elementor-addons-plugin-8-4-2-sql-injection-vulnerability?_s_id=cve

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-04-15T10:21:34.904Z

Updated: 2026-04-15T10:21:34.904Z

Reserved: 2026-04-15T09:19:38.195Z

Link: CVE-2026-40745

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T13:44:58Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40745", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-15T09:19:38.195Z", "datePublished": "2026-04-15T10:21:34.904Z", "dateUpdated": "2026-04-15T10:21:34.904Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "bdthemes-element-pack-lite", "product": "Element Pack Elementor Addons", "vendor": "bdthemes", "versions": [{"changes": [{"at": "8.5.0", "status": "unaffected"}], "lessThanOrEqual": "8.4.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-15T12:20:47.541Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection.<p>This issue affects Element Pack Elementor Addons: from n/a through <= 8.4.2.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection.This issue affects Element Pack Elementor Addons: from n/a through <= 8.4.2."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-15T10:21:34.904Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/bdthemes-element-pack-lite/vulnerability/wordpress-element-pack-elementor-addons-plugin-8-4-2-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Element Pack Elementor Addons plugin <= 8.4.2 - SQL Injection vulnerability"}}}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.4.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Element Pack Elementor Addons", "source": "cna", "vendor": "bdthemes"}, "product": "element_pack_elementor_addons", "vendor": "bdthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T11:51:18.637605+00:00", "value": {"mitigation_remediation": ["Upgrade the Element Pack Elementor Addons plugin to the latest release (8.5 or newer) that contains the SQL injection fix.", "Restrict access to the plugin\u2019s form or data submission endpoints to authenticated administrative users only, using HTTP authentication or IP whitelisting where possible.", "Review and rotate database credentials in case they could have been accessed during the vulnerability window to limit potential data exposure.", "Ensure that any custom database interactions in the WordPress site employ prepared statements and parameterized queries to prevent future injection flaws."], "summary": {"action": "Apply Patch", "impact": "Data Retrieval via Blind SQL Injection"}, "threat_synthesis": {"affected_systems": "WordPress installations that have the bdthemes Element Pack Elementor Addons plugin version 8.4.2 or earlier are affected. The issue persists across all sites that have the vulnerable plugin installed, regardless of theme or additional plugins. All versions from the initial release through 8.4.2 share the same vulnerable code paths.", "description_and_impact": "Incorrect sanitization of user input within the bdthemes Element Pack Elementor Addons plugin permits an attacker to inject malicious SQL into blind queries. This flaw allows read\u2011only access to the underlying database, potentially exposing sensitive information such as user credentials or content. The weakness is identified as CWE\u201189: Improper Neutralization of Special Elements used in an SQL Command.", "risk_and_exploitability": "The EPSS score for this vulnerability is not available, and it is not listed in the CISA KEV catalog, indicating that no publicly documented exploitation has been reported to date. The vulnerability exists in a public endpoint of the plugin, which means an attacker could potentially send crafted HTTP requests to trigger blind SQL queries. However, the exact likelihood of successful exploitation cannot be determined from the available data. Sites that allow unauthenticated access to the plugin\u2019s request handling endpoint may be more susceptible, but the report does not specify any authentication or role-based restrictions that could mitigate the risk."}}}}, "created": "2026-04-15T13:38:17.787450+00:00", "updated": "2026-04-15T13:44:58.883740+00:00", "vendors": ["bdthemes", "bdthemes$PRODUCT$element_pack_elementor_addons", "wordpress", "wordpress$PRODUCT$wordpress"]}