Description
An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/10214
Third Party Advisory x_refsource_misc
https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk/
Scores
CVSS v3
9.9
EPSS
0.6702
EPSS Percentile
98.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Details
VulnCheck KEV
2020-05-17
InTheWild.io
2020-08-25
CWE
CWE-434
Status
published
Products (1)
elementor/elementor_page_builder
< 2.9.4
Published
May 17, 2020
Tracked Since
Feb 18, 2026