CVE-2020-26596

Published: Oct 7, 2020Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role.

Affected (1)

Products: Elementor: Elementor Pro

1 product

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Elementor Elementor Pro	Up to 3.0.5

Running on/with	Platform Versions
Wordpress Wordpress	Up to 5.5.1

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (4)

https://elementor.com/pro/changelog/

Source: cve@mitre.org

Release NotesVendor Advisory

https://ww2.compunet.cl/dia-cero-en-plugin-de-wordpres-detectada-compunet-redteam/

Source: cve@mitre.org

ExploitThird Party Advisory

https://elementor.com/pro/changelog/

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://ww2.compunet.cl/dia-cero-en-plugin-de-wordpres-detectada-compunet-redteam/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.