CVE-2026-40745

Vulnerability

A Blind SQL Injection vulnerability exists in the bdthemes Element Pack Elementor Addons plugin for WordPress (bdthemes-element-pack-lite) through version 8.4.2. The issue stems from improper neutralization of special elements used in SQL commands, allowing an attacker to inject malicious SQL queries without directly seeing the output [1].

Exploitation

Attackers can exploit this vulnerability by sending crafted input to vulnerable parameters, typically via unauthenticated HTTP requests. The lack of proper sanitization enables blind SQL injection techniques, where the attacker infers database information based on response timing or boolean responses. This type of vulnerability is frequently targeted in mass-exploit campaigns, affecting thousands of websites regardless of traffic size [1].

Impact

Successful exploitation permits an attacker to interact directly with the underlying database, potentially extracting sensitive data such as user credentials, personal information, or other stored content. The CVSS score of 7.6 (High) reflects the significant confidentiality impact [1].

Mitigation

The vendor has released version 8.5.0 which addresses the vulnerability. Users are strongly advised to update immediately. If immediate update is not possible, hosting providers or developers should be consulted to apply temporary measures such as web application firewall rules. Patchstack users can enable auto-updates for vulnerable plugins [1].