📄 Description (English)
The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[compare]' parameter in the 'tcg_select2_search_post' AJAX action in all versions up to, and including, 2.3.6. This is due to the user-supplied compare value being placed as an SQL operator in the query without validation against an allowlist of comparison operators. The value is passed through esc_sql(), but since the payload operates as an operator (not inside quotes), esc_sql() has no effect on payloads that don't contain quote characters. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
🤖 AI Executive Summary
The ElementCamp WordPress plugin versions up to 2.3.6 contain a time-based SQL injection vulnerability in the AJAX 'tcg_select2_search_post' action. Authenticated users with Author-level privileges can exploit the unvalidated 'meta_query[compare]' parameter to extract sensitive database information. While currently unpatched, the vulnerability requires authentication and elevated privileges, reducing immediate risk but requiring urgent attention for organizations using this plugin.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 12, 2026 09:53
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using ElementCamp plugin for WordPress-based content management systems face moderate risk. Most vulnerable sectors include: (1) Government agencies and municipalities using WordPress for public portals and content management; (2) Healthcare institutions managing patient information portals; (3) Educational institutions (universities, schools) using WordPress for administrative systems; (4) Small-to-medium enterprises and startups using WordPress for business operations. The vulnerability's requirement for Author-level access limits exposure to insider threats and compromised administrative accounts. Organizations under NCA and SAMA oversight managing sensitive data through WordPress installations require immediate assessment.
🏢 Affected Saudi Sectors
Government and Public Administration
Healthcare and Medical Institutions
Education (Universities and Schools)
Small and Medium Enterprises
Non-Governmental Organizations
Media and Publishing
Retail and E-commerce
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
5.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all WordPress installations using ElementCamp plugin version 2.3.6 or earlier across your organization
2. Review user access logs for the 'tcg_select2_search_post' AJAX action to identify suspicious activity
3. Restrict Author-level and above user accounts to trusted personnel only
4. Disable the ElementCamp plugin if not actively used
PATCHING GUIDANCE:
1. Contact ElementCamp developers for security updates or timeline
2. Monitor official plugin repository for patch releases
3. Implement version control to track plugin updates
COMPENSATING CONTROLS (until patch available):
1. Implement Web Application Firewall (WAF) rules to block requests containing SQL operators in 'meta_query[compare]' parameter
2. Apply principle of least privilege: audit and reduce Author-level accounts
3. Implement database activity monitoring (DAM) to detect unusual SQL queries
4. Enable WordPress security logging and centralize logs to SIEM
5. Restrict AJAX endpoint access via IP whitelisting if possible
DETECTION RULES:
1. Monitor POST requests to wp-admin/admin-ajax.php with action=tcg_select2_search_post
2. Alert on meta_query[compare] parameters containing SQL operators (=, <>, <, >, <=, >=, LIKE, IN, BETWEEN, EXISTS)
3. Detect time-based SQL injection patterns: SLEEP(), BENCHMARK(), WAITFOR DELAY
4. Monitor database query logs for UNION SELECT, subqueries, or unusual WHERE clauses from WordPress user
5. Track failed database authentication attempts and query timeouts
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress التي تستخدم مكون ElementCamp الإصدار 2.3.6 أو أقدم عبر المنظمة
2. مراجعة سجلات الوصول للمستخدمين لإجراء AJAX 'tcg_select2_search_post' لتحديد النشاط المريب
3. تقييد حسابات المستخدمين من مستوى المؤلف وما فوق للموظفين الموثوقين فقط
4. تعطيل مكون ElementCamp إذا لم يكن قيد الاستخدام النشط
إرشادات التصحيح:
1. التواصل مع مطوري ElementCamp للحصول على تحديثات الأمان أو الجدول الزمني
2. مراقبة مستودع المكون الرسمي للإصدارات المصححة
3. تنفيذ التحكم في الإصدارات لتتبع تحديثات المكون
الضوابط البديلة (حتى توفر التصحيح):
1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات التي تحتوي على عوامل SQL في معامل 'meta_query[compare]'
2. تطبيق مبدأ أقل امتياز: تدقيق وتقليل حسابات مستوى المؤلف
3. تنفيذ مراقبة نشاط قاعدة البيانات (DAM) للكشف عن استعلامات SQL غير العادية
4. تفعيل تسجيل أمان WordPress وتجميع السجلات في SIEM
5. تقييد الوصول إلى نقطة نهاية AJAX عبر القائمة البيضاء للعناوين إن أمكن
قواعد الكشف:
1. مراقبة طلبات POST إلى wp-admin/admin-ajax.php مع action=tcg_select2_search_post
2. التنبيه على معاملات meta_query[compare] التي تحتوي على عوامل SQL (=، <>، <، >، <=، >=، LIKE، IN، BETWEEN، EXISTS)
3. الكشف عن أنماط حقن SQL القائمة على الوقت: SLEEP()، BENCHMARK()، WAITFOR DELAY
4. مراقبة سجلات استعلامات قاعدة البيانات عن UNION SELECT والاستعلامات الفرعية أو شروط WHERE غير العادية من مستخدم WordPress
5. تتبع محاولات المصادقة الفاشلة في قاعدة البيانات وانتهاء مهلة الاستعلام
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.1.1 - Access Control and Authentication
5.2.1 - User Access Management
5.3.1 - Privileged Access Management
6.1.1 - Data Protection and Encryption
6.2.1 - Database Security
7.1.1 - Security Monitoring and Logging
7.2.1 - Incident Detection and Response
🔵 SAMA CSF
ID.AM-1 - Asset Management
PR.AC-1 - Access Control
PR.DS-1 - Data Security
DE.CM-1 - Detection and Analysis
DE.AE-1 - Anomalies and Events
RS.MI-1 - Incident Mitigation
🟡 ISO 27001:2022
A.5.1.1 - Policies for information security
A.6.1.1 - Information security roles and responsibilities
A.8.1.1 - User endpoint devices
A.9.1.1 - Access control policy
A.9.2.1 - User registration and de-registration
A.9.4.1 - Access rights review
A.12.2.1 - Restrictions on software installation
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy
🟣 PCI DSS v4.0.1
1.1 - Firewall configuration standards
2.1 - Default security parameters
6.2 - Security patches and updates
6.5.1 - Injection flaws
7.1 - Limit access to data
10.2 - User access logging
🔗 References & Sources 5
🔗
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/element-camp/tags/2.3.6/elementor/extender/t...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/element-camp/tags/2.3.6/elementor/extender/t...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/element-camp/trunk/elementor/extender/tcg-se...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/element-camp/trunk/elementor/extender/tcg-se...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/cfb09dcd-f8ec-4b0a-ae77-4b4b7...
security@wordfence.com