9
CVE-2020-26596
- EPSS 17.47%
- Veröffentlicht 07.10.2020 16:15:17
- Zuletzt bearbeitet 21.11.2024 05:20:07
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginElementor Pro <= 3.0.5 - Authenticated Remote Code Execution in Dynamic OOO Widget
The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role.
Mögliche Gegenmaßnahme
Elementor Website Builder Pro: Update to version 3.0.6, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Elementor Website Builder Pro
Version
*-3.0.5
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Elementor ≫ Elementor Pro SwPlatformwordpress Version <= 3.0.5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 17.47% | 0.949 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 9 | 8 | 10 |
AV:N/AC:L/Au:S/C:C/I:C/A:C
|
CWE-269 Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.