CVE-2020-13125
MEDIUM EXPLOITED IN THE WILD NUCLEIUltimate Addons for Elementor <1.24.2 - Privilege Escalation
Title source: llmExploitation Summary
CVE-2020-13125 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). A Nuclei detection template is also available.
Description
An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.
Nuclei Templates (1)
Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass
HIGHby daffainfo
References (2)
Core 2
Core References
Not Applicable x_refsource_misc
https://wpvulndb.com/vulnerabilities/10214
Third Party Advisory x_refsource_misc
https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk/
Scores
CVSS v3
6.5
EPSS
0.0231
EPSS Percentile
81.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Details
VulnCheck KEV
2020-05-17
InTheWild.io
2021-07-21
Status
published
Products (1)
brainstormforce/ultimate_addons_for_elementor
< 1.24.2
Published
May 17, 2020
Tracked Since
Feb 18, 2026