cbcvebase.
CVE-2020-13126
published 2020-05-17

CVE-2020-13126: An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An…

PriorityP180critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.57%
94.4th percentile
An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected.

Affected

2 ranges
VendorProductVersion rangeFixed in
brainstormforceultimate_addons_for_elementor< 1.24.21.24.2
elementorelementor_page_builder< 2.9.42.9.4

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=uael_register_user&nonce={{form_nonce}}&data[page_id]={{post_id}}&data[widget_id]={{widget_id}}&data[user_name]={{username}}&data[email]={{email}}&data[password]={{password}}&data[first_name]={{firstname}}&data[last_name]={{lastname}}&data[send_email]={{randstr}}&data[auto_login]=yes
otheruaelRegistration
otherelementor-widget-uael-registration-form
  • Detect exploit attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the parameter 'action=uael_register_user', which is the AJAX action abused to register users without authentication.
  • A successful exploitation response will contain the string 'successfully registered' with Content-Type 'application/json' and HTTP 200 status — monitor for this in WAF/proxy logs.
  • Pre-exploitation reconnaissance can be identified by GET requests to the target WordPress page where the response body contains both 'uaelRegistration' and 'form_nonce', indicating the vulnerable registration widget is present.
  • The exploit extracts a nonce value matching the regex '"form_nonce":"([a-f0-9]+)"' from the page body before submitting the registration request — presence of this pattern in scraped page content indicates attacker reconnaissance.
  • The exploit was observed in the wild in May 2020 chained with CVE-2020-13126 (Elementor Pro RCE), allowing unauthenticated attackers to first register a Subscriber account and then escalate privileges.
  • ·The exploit requires the 'uael-registration-form' Elementor widget to be present and published on at least one page of the target site. If no such page exists, the nonce and widget_id cannot be extracted and the attack will fail.
  • ·The vulnerable plugin version range is Ultimate Addons for Elementor <= 1.24.1; version 1.24.2 and later are patched. Detections should be scoped to sites running the affected version range.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv3.09.9CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.