CVE-2020-26596
First published: Wed Oct 07 2020(Updated: )
The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elementor Elementor Pro | <=3.0.5 | |
| WordPress WordPress | <=5.5.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this vulnerability?
The vulnerability ID is CVE-2020-26596.
What is the title of this vulnerability?
The title of this vulnerability is 'The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code'.
What is the severity of CVE-2020-26596?
The severity of CVE-2020-26596 is critical with a CVSS score of 8.8.
Which software is affected by CVE-2020-26596?
Elementor Pro plugin through version 3.0.5 for WordPress is affected by CVE-2020-26596.
How can CVE-2020-26596 be mitigated?
The issue can be mitigated by removing the Dynamic OOO widget or updating to a version of the plugin that has fixed the vulnerability.
- agent/type
- agent/references
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/author
- agent/severity
- agent/weakness
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/elementor
- canonical/elementor elementor pro
- version/elementor elementor pro/3.0.5
- vendor/wordpress
- canonical/wordpress wordpress
- version/wordpress wordpress/5.5.1