CVE-2020-26596

CVE Database · CVE-2020-26596

CVE-2020-26596

· HIGHModified

CVSS v3.1

8.8

EPSS

5.42%

Published

Oct 7, 2020

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-269

Affected Products (2)

elementor · elementor_provulnerable

wordpress · wordpress

References (4)

https://elementor.com/pro/changelog/

Release NotesVendor Advisory

https://ww2.compunet.cl/dia-cero-en-plugin-de-wordpres-detectada-compunet-redteam/

ExploitThird Party Advisory

https://elementor.com/pro/changelog/

Release NotesVendor Advisory

https://ww2.compunet.cl/dia-cero-en-plugin-de-wordpres-detectada-compunet-redteam/

ExploitThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs