CVE-2020-13126

CRITICAL EXPLOITED IN THE WILD

Elementor Pro < 2.9.4 - Authenticated Remote Code Execution via Arbitrary File Upload

Title source: llm

Exploitation Summary

CVE-2020-13126 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).

Description

An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

https://wpvulndb.com/vulnerabilities/10214

Third Party Advisory x_refsource_misc

https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk/

Scores

CVSS v3 9.9

EPSS 0.0857

EPSS Percentile 94.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

VulnCheck KEV 2020-05-17

InTheWild.io 2020-08-25

CWE

CWE-434

Status published

Products (1)

elementor/elementor_page_builder < 2.9.4

Published May 17, 2020

Tracked Since Feb 18, 2026