CVE-2020-36700
HIGHPage Builder: KingComposer <= 2.9.3 - Authenticated Authorization Bypass via Nonce Leak
Title source: llmDescription
The Page Builder: KingComposer plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.9.3. This is due to a security nonce being leaked in the '/wp-admin/index.php' page. This makes it possible for authenticated attackers to change arbitrary WordPress options, delete arbitrary files/folders, and inject arbitrary content.
References (4)
Core 4
Core References
Scores
CVSS v3
8.8
EPSS
0.0119
EPSS Percentile
63.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-284
Status
published
Products (2)
king-theme/page_builder_kingcomposer
< 2.9.3
kingthemes/Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
< 2.9.3
Published
Jun 07, 2023
Tracked Since
Feb 18, 2026