CVE-2024-5329: 
WordPress vulnerability analysis and mitigation

CVE-2024-5329 affects the Unlimited Elements For Elementor (Free Widgets, Addons, Templates) WordPress plugin in versions up to and including 1.5.109. The vulnerability was discovered and reported by Wordfence, with the initial disclosure on June 6, 2024 (NVD).

The vulnerability is classified as a blind SQL Injection vulnerability that occurs via the 'data[addonID]' parameter. The issue stems from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. This vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is categorized under CWE-89: Improper Neutralization of Special Elements used in an SQL Command (NVD).

The vulnerability allows authenticated attackers with Contributor-level access or higher to append additional SQL queries to existing queries. This capability can be exploited to extract sensitive information from the database, potentially compromising the security and confidentiality of the website's data (NVD).

Website administrators should update to version 1.5.110 or later of the Unlimited Elements For Elementor plugin, which contains the security fix. The vulnerability has been patched in the updated version available through the WordPress plugin repository (WordPress).