Vulnerability Description
An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Elementor | Elementor Page Builder | < 2.9.4 |
Related Weaknesses (CWE)
References
- https://wpvulndb.com/vulnerabilities/10214Third Party Advisory
- https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultiThird Party Advisory
- https://wpvulndb.com/vulnerabilities/10214Third Party Advisory
- https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultiThird Party Advisory
FAQ
What is CVE-2020-13126?
CVE-2020-13126 is a vulnerability with a CVSS score of 9.9 (CRITICAL). An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload...
How severe is CVE-2020-13126?
CVE-2020-13126 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-13126?
Check the references section above for vendor advisories and patch information. Affected products include: Elementor Elementor Page Builder.