First published: Sun May 17 2020(Updated: )
An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Elementor Elementor Page Builder | <2.9.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-13126 is an issue discovered in the Elementor Pro plugin for WordPress, which allows an attacker with the Subscriber role to upload arbitrary executable files and achieve remote code execution.
The severity of CVE-2020-13126 is critical, with a severity value of 9.9.
An attacker with the Subscriber role can exploit CVE-2020-13126 by uploading arbitrary executable files to achieve remote code execution.
Elementor Pro versions up to and exclusive of 2.9.4 are affected by CVE-2020-13126.
To fix CVE-2020-13126, update to Elementor Pro version 2.9.4 or later.