CVE-2020-13125
published 2020-05-17CVE-2020-13125: An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with…
PriorityP276medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.31%
81.2th percentile
An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| brainstormforce | ultimate_addons_for_elementor | < 1.24.2 | 1.24.2 |
| elementor | elementor_page_builder | < 2.9.4 | 2.9.4 |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=uael_register_user&nonce={{form_nonce}}&data[page_id]={{post_id}}&data[widget_id]={{widget_id}}&data[user_name]={{username}}&data[email]={{email}}&data[password]={{password}}&data[first_name]={{firstname}}&data[last_name]={{lastname}}&data[send_email]={{randstr}}&data[auto_login]=yes↗
- →Look for POST requests to /wp-admin/admin-ajax.php with the action parameter set to 'uael_register_user' — this is the unauthenticated registration bypass endpoint. ↗
- →Scan page source for the co-presence of 'uaelRegistration' and 'form_nonce' strings, which indicate the vulnerable registration form widget is active and can be targeted. ↗
- →A successful exploitation attempt returns HTTP 200 with Content-Type application/json and the string 'successfully registered' in the response body. ↗
- →The vulnerable widget can be identified in page HTML by the class 'elementor-widget-uael-registration-form' with a data-id attribute — extract the widget ID for use in the exploit POST. ↗
- →The nonce value required for the exploit can be extracted from the page body using the regex pattern ,"form_nonce":"([a-f0-9]+)" — its presence confirms the vulnerable plugin is loaded. ↗
- →This CVE was exploited in the wild in May 2020 chained with CVE-2020-13126; monitor for combined exploitation patterns targeting both vulnerabilities on the same WordPress instance. ↗
- ·The exploit requires a page with the UAEL registration form widget rendered; if no such page exists on the target, the nonce and widget_id cannot be harvested and the attack will not proceed. ↗
- ·The vulnerability affects Ultimate Addons for Elementor versions up to and including 1.24.1 only; version 1.24.2 and later are patched. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j47x-5r4f-5mpx: An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1
ghsa_unreviewed·2022-05-24·CVSS 9.9
CVE-2020-13125 [CRITICAL] CWE-732 GHSA-j47x-5r4f-5mpx: An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1
An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.
GHSA
GHSA-q42j-4cv4-vf65: An issue was discovered in the Elementor Pro plugin before 2
ghsa_unreviewed·2022-05-24·CVSS 6.5
CVE-2020-13126 [MEDIUM] GHSA-q42j-4cv4-vf65: An issue was discovered in the Elementor Pro plugin before 2
An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected.
VulnCheck
Ultimate Addons for Elementor plugin before 1.24.2 for WordPress Unauthenticated Subscriber User Bypass
vulncheck·2020·CVSS 6.5
CVE-2020-13125 [MEDIUM] Ultimate Addons for Elementor plugin before 1.24.2 for WordPress Unauthenticated Subscriber User Bypass
Ultimate Addons for Elementor plugin before 1.24.2 for WordPress Unauthenticated Subscriber User Bypass
An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.
Affected: brainstormforce ultimate_addons_for_elementor
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2020-13125; https://www.wordfence.com/blog/2020/05/the-elementor-attacks-how-creative-hackers-combined-vulnerabilities-to-take-over-wordpress-si
VulnCheck
elementor elementor_page_builder Unrestricted Upload of File with Dangerous Type
vulncheck·2020·CVSS 6.5
CVE-2020-13126 [MEDIUM] elementor elementor_page_builder Unrestricted Upload of File with Dangerous Type
elementor elementor_page_builder Unrestricted Upload of File with Dangerous Type
An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected.
Affected: elementor elementor_page_builder
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2020-13126; https://www.wordfence.com/blog/2020/05/the-elementor-attacks-how-creative-hackers-combined-vulnerabilities-to-take-over-wordpress-sit
No detection rules found.
Nuclei
Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass
nuclei·CVSS 6.5
CVE-2020-13125 [MEDIUM] Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass
Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass
An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.
Template:
id: CVE-2020-13125
info:
name: Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass
author: daffainfo
severity: high
description: |
An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.
impact: |
Unauthenticated attackers
No writeups or analysis indexed.
https://wpvulndb.com/vulnerabilities/10214https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk/https://wpvulndb.com/vulnerabilities/10214https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk/
2020-05-17
Published
Exploited in the wild