cbcvebase.
CVE-2020-13125
published 2020-05-17

CVE-2020-13125: An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with…

PriorityP276medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.31%
81.2th percentile
An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.

Affected

2 ranges
VendorProductVersion rangeFixed in
brainstormforceultimate_addons_for_elementor< 1.24.21.24.2
elementorelementor_page_builder< 2.9.42.9.4

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=uael_register_user&nonce={{form_nonce}}&data[page_id]={{post_id}}&data[widget_id]={{widget_id}}&data[user_name]={{username}}&data[email]={{email}}&data[password]={{password}}&data[first_name]={{firstname}}&data[last_name]={{lastname}}&data[send_email]={{randstr}}&data[auto_login]=yes
  • Look for POST requests to /wp-admin/admin-ajax.php with the action parameter set to 'uael_register_user' — this is the unauthenticated registration bypass endpoint.
  • Scan page source for the co-presence of 'uaelRegistration' and 'form_nonce' strings, which indicate the vulnerable registration form widget is active and can be targeted.
  • A successful exploitation attempt returns HTTP 200 with Content-Type application/json and the string 'successfully registered' in the response body.
  • The vulnerable widget can be identified in page HTML by the class 'elementor-widget-uael-registration-form' with a data-id attribute — extract the widget ID for use in the exploit POST.
  • The nonce value required for the exploit can be extracted from the page body using the regex pattern ,"form_nonce":"([a-f0-9]+)" — its presence confirms the vulnerable plugin is loaded.
  • This CVE was exploited in the wild in May 2020 chained with CVE-2020-13126; monitor for combined exploitation patterns targeting both vulnerabilities on the same WordPress instance.
  • ·The exploit requires a page with the UAEL registration form widget rendered; if no such page exists on the target, the nonce and widget_id cannot be harvested and the attack will not proceed.
  • ·The vulnerability affects Ultimate Addons for Elementor versions up to and including 1.24.1 only; version 1.24.2 and later are patched.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.