CVE-2026-40745 Overview
CVE-2026-40745 is a Blind SQL Injection vulnerability in the bdthemes Element Pack Elementor Addons plugin for WordPress. The flaw stems from improper neutralization of special elements used in SQL commands [CWE-89]. It affects all versions of the bdthemes-element-pack-lite plugin up to and including 8.4.2. An authenticated attacker with high privileges can inject SQL statements over the network and infer database contents through blind techniques. The vulnerability carries a CVSS 3.1 score of 7.6 and impacts confidentiality with a scope change, exposing data beyond the plugin's security boundary.
Critical Impact
Authenticated attackers can extract sensitive WordPress database contents — including user credentials, session tokens, and configuration secrets — via blind SQL injection.
Affected Products
- bdthemes Element Pack Elementor Addons (bdthemes-element-pack-lite)
- Versions from n/a through 8.4.2
- WordPress installations running the vulnerable plugin
Discovery Timeline
- 2026-04-15 - CVE CVE-2026-40745 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40745
Vulnerability Analysis
The vulnerability is a Blind SQL Injection flaw classified under [CWE-89], Improper Neutralization of Special Elements used in an SQL Command. The plugin accepts user-controlled input and incorporates it into SQL queries without proper sanitization or parameterized binding. Because the application does not return query results directly, attackers must rely on boolean-based or time-based inference techniques to extract data. The scope is marked changed, meaning a successful exploit can affect resources beyond the plugin itself — most notably the underlying WordPress database shared with the host site.
Root Cause
The root cause is missing or incomplete input validation on parameters passed into database queries handled by the plugin. Special characters such as single quotes, comments, and SQL keywords are not escaped or bound through prepared statements. This allows injected SQL fragments to alter query logic at execution time.
Attack Vector
Exploitation requires network access to the WordPress site and an authenticated session with high privileges. The attacker sends crafted HTTP requests containing SQL payloads to plugin endpoints. The server processes these payloads as part of database queries, and the attacker observes response variations or timing differences to extract data one bit at a time. No user interaction is required to trigger the flaw once the malicious request is submitted.
No public proof-of-concept code is available. Refer to the Patchstack WordPress Vulnerability Report for additional technical details.
Detection Methods for CVE-2026-40745
Indicators of Compromise
- HTTP requests to Element Pack plugin endpoints containing SQL metacharacters such as ', --, UNION, SLEEP(, or BENCHMARK(.
- Abnormally long response times on plugin-handled requests, suggesting time-based blind SQLi inference.
- Repeated parameterized requests from the same authenticated session iterating over character ranges or numeric indexes.
- WordPress audit logs showing high-privilege accounts issuing unusual administrative requests at machine-like intervals.
Detection Strategies
- Inspect web server and WordPress logs for query strings or POST bodies containing SQL syntax targeting plugin routes.
- Deploy a Web Application Firewall (WAF) rule set that flags SQL injection patterns directed at /wp-admin/ and Elementor plugin endpoints.
- Correlate authenticated administrator activity with database query volume to identify anomalous query generation.
Monitoring Recommendations
- Enable verbose query logging on the MySQL or MariaDB backend and alert on SLEEP, BENCHMARK, or stacked-query patterns.
- Track plugin version inventory across WordPress fleets and alert on installations running bdthemes-element-pack-lite at version 8.4.2 or earlier.
- Monitor failed and successful authentication events for administrator-level accounts that subsequently issue plugin requests.
How to Mitigate CVE-2026-40745
Immediate Actions Required
- Update the bdthemes-element-pack-lite plugin to a version later than 8.4.2 as soon as a fix is published by the vendor.
- Audit WordPress administrator and editor accounts and revoke unused high-privilege access to reduce the exploitable attack surface.
- Rotate WordPress database credentials, secret keys, and administrator passwords if compromise is suspected.
Patch Information
The vulnerability affects Element Pack Elementor Addons through version 8.4.2. Consult the Patchstack WordPress Vulnerability Report for the latest fixed-version guidance and vendor updates.
Workarounds
- Disable or remove the Element Pack Elementor Addons plugin until a patched release is installed.
- Deploy WAF rules from Patchstack or equivalent vendors that virtually patch SQL injection attempts against the affected plugin endpoints.
- Restrict access to /wp-admin/ using IP allowlists or VPN-only access to limit who can reach the vulnerable endpoints.
# Configuration example: temporarily deactivate the vulnerable plugin via WP-CLI
wp plugin deactivate bdthemes-element-pack-lite
wp plugin status bdthemes-element-pack-lite
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

