Attack Vectors

Product: ElementCamp (slug: element-camp)

Severity: Medium (CVSS 6.5 – CVE-2026-2503)

This issue affects the ElementCamp WordPress plugin in versions up to and including 2.3.6. The vulnerability is an authenticated (Author+) SQL injection that can be triggered through the tcg_select2_search_post AJAX action using the meta_query[compare] parameter.

From a business-risk perspective, the key point is that an attacker needs a valid login with at least Author permissions (not necessarily an admin). That makes this particularly relevant for organizations with many content users, external contributors, agencies, or shared accounts.

Security Weakness

ElementCamp is vulnerable to time-based SQL injection because a user-supplied value is inserted into a database query as an SQL operator without being validated against an allowlist of acceptable comparison operators. Although the value is passed through esc_sql(), that function does not reliably protect operator-based payloads (especially when they do not rely on quotes).

In practical terms, this means certain crafted requests can influence how the database query is executed, enabling a skilled attacker to infer sensitive data over time.

No known patch is available at the time of writing. Reference: Wordfence vulnerability record. CVE record: CVE-2026-2503.

Technical or Business Impacts

The CVSS vector indicates a high confidentiality impact (C:H). For business leaders, that typically maps to the risk of data exposure—such as extracting information from the WordPress database—without needing to deface the site or take it offline.

Potential outcomes include disclosure of data stored in the database (which may include customer/contact information depending on your stack), increased risk of follow-on attacks using harvested data, and compliance exposure if regulated or personal data is involved.

Given the lack of a published fix, organizations should evaluate mitigations based on risk tolerance. Common risk-reduction steps include: removing or replacing the affected plugin, reducing the number of Author+ accounts (and tightening onboarding/offboarding), monitoring for unusual AJAX activity, and using a web application firewall (WAF) capable of filtering suspicious query patterns. Where business operations require keeping the plugin, consider compensating controls and heightened monitoring until a patch is available.

Similar Attacks

SQL injection is a common web application risk and has affected major platforms in the past. Examples include:

CVE-2022-21661 (WordPress)
CVE-2014-3704 (Drupal “Drupalgeddon” SQL Injection)