CVE-2020-26596

moderate-risk

Published 2020-10-07

The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role.

Do I need to act?

17.5% chance of exploitation in next 30 days

EPSS score — higher than 83% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (1)

Elementor Pro

Affected Vendors

Elementor

References (4)

Release Notes https://elementor.com/pro/changelog/

Exploit https://ww2.compunet.cl/dia-cero-en-plugin-de-wordpres-detectada-compunet-redtea...

Release Notes https://elementor.com/pro/changelog/

Exploit https://ww2.compunet.cl/dia-cero-en-plugin-de-wordpres-detectada-compunet-redtea...

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 13/34 · Low

Exposure 5/34 · Minimal