CVE-2020-36701

Name of the Vulnerable Software and Affected Versions The Page Builder: KingComposer plugin for WordPress versions up to, and including, 2.9.3

Description The issue allows authenticated users with author level permissions and above to upload arbitrary files onto the server, which can be used to execute code on the server. This is possible via the process bulk action function in the kingcomposer/includes/kc.extensions.php file.

Recommendations For versions up to, and including, 2.9.3, consider disabling the process bulk action function in the kingcomposer/includes/kc.extensions.php file as a temporary workaround until a patch is available. Restrict access to the kingcomposer/includes/kc.extensions.php file to minimize the risk of exploitation. Avoid using the process bulk action function until the issue is resolved.