PT-2020-16469 · Elementor · Elementor Pro

Published

2020-10-07

Updated

2021-07-21

CVE-2020-26596

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Elementor Pro plugin versions through 3.0.5

Description The issue allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet.

Recommendations For Elementor Pro plugin versions through 3.0.5, consider removing the Dynamic OOO widget or restrict availability of the Editor role to mitigate the issue.

Exploit

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269

Related Identifiers

CVE-2020-26596

Affected Products

Elementor Pro

PT-2020-16469 · Elementor · Elementor Pro

CVE-2020-26596

Weakness Enumeration

Related Identifiers

Affected Products

References · 4