Vulnerability Description
The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Elementor | Elementor Pro | <= 3.0.5 |
| Wordpress | Wordpress | <= 5.5.1 |
Related Weaknesses (CWE)
References
- https://elementor.com/pro/changelog/Release NotesVendor Advisory
- https://ww2.compunet.cl/dia-cero-en-plugin-de-wordpres-detectada-compunet-redteaExploitThird Party Advisory
- https://elementor.com/pro/changelog/Release NotesVendor Advisory
- https://ww2.compunet.cl/dia-cero-en-plugin-de-wordpres-detectada-compunet-redteaExploitThird Party Advisory
FAQ
What is CVE-2020-26596?
CVE-2020-26596 is a vulnerability with a CVSS score of 8.8 (HIGH). The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable ...
How severe is CVE-2020-26596?
CVE-2020-26596 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26596?
Check the references section above for vendor advisories and patch information. Affected products include: Elementor Elementor Pro, Wordpress Wordpress.