CVE-2020-13126

Опубликовано: 17 мая 2020

Источник: nvd

CVSS3: 9.9

CVSS2: 6.5

EPSS Средний

Описание

An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected.

Ссылки

https://wpvulndb.com/vulnerabilities/10214
Third Party Advisory
https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk/
Third Party Advisory
https://wpvulndb.com/vulnerabilities/10214
Third Party Advisory
https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:elementor:elementor_page_builder:*:*:*:*:pro:wordpress:*:*

Версия до 2.9.4 (исключая)

EPSS

Процентиль: 98%

0.67023

Средний

9.9 Critical

CVSS3

9.9 Critical

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-434

Связанные уязвимости

GHSA-q42j-4cv4-vf65

github

больше 3 лет назад

EPSS

Процентиль: 98%

0.67023

Средний

9.9 Critical

CVSS3

9.9 Critical

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-434