CVE-2020-13126
published 2020-05-17CVE-2020-13126: An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An…
PriorityP180critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.57%
94.4th percentile
An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| brainstormforce | ultimate_addons_for_elementor | < 1.24.2 | 1.24.2 |
| elementor | elementor_page_builder | < 2.9.4 | 2.9.4 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-ajax.php
commandaction=uael_register_user&nonce={{form_nonce}}&data[page_id]={{post_id}}&data[widget_id]={{widget_id}}&data[user_name]={{username}}&data[email]={{email}}&data[password]={{password}}&data[first_name]={{firstname}}&data[last_name]={{lastname}}&data[send_email]={{randstr}}&data[auto_login]=yes
otheruaelRegistration
otherelementor-widget-uael-registration-form
- →Detect exploit attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the parameter 'action=uael_register_user', which is the AJAX action abused to register users without authentication.
- →A successful exploitation response will contain the string 'successfully registered' with Content-Type 'application/json' and HTTP 200 status — monitor for this in WAF/proxy logs.
- →Pre-exploitation reconnaissance can be identified by GET requests to the target WordPress page where the response body contains both 'uaelRegistration' and 'form_nonce', indicating the vulnerable registration widget is present.
- →The exploit extracts a nonce value matching the regex '"form_nonce":"([a-f0-9]+)"' from the page body before submitting the registration request — presence of this pattern in scraped page content indicates attacker reconnaissance.
- →The exploit was observed in the wild in May 2020 chained with CVE-2020-13126 (Elementor Pro RCE), allowing unauthenticated attackers to first register a Subscriber account and then escalate privileges. ↗
- ·The exploit requires the 'uael-registration-form' Elementor widget to be present and published on at least one page of the target site. If no such page exists, the nonce and widget_id cannot be extracted and the attack will fail.
- ·The vulnerable plugin version range is Ultimate Addons for Elementor <= 1.24.1; version 1.24.2 and later are patched. Detections should be scoped to sites running the affected version range. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv3.09.9CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j47x-5r4f-5mpx: An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1
ghsa_unreviewed·2022-05-24·CVSS 9.9
CVE-2020-13125 [CRITICAL] CWE-732 GHSA-j47x-5r4f-5mpx: An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1
An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.
GHSA
GHSA-q42j-4cv4-vf65: An issue was discovered in the Elementor Pro plugin before 2
ghsa_unreviewed·2022-05-24·CVSS 6.5
CVE-2020-13126 [MEDIUM] GHSA-q42j-4cv4-vf65: An issue was discovered in the Elementor Pro plugin before 2
An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected.
VulnCheck
Ultimate Addons for Elementor plugin before 1.24.2 for WordPress Unauthenticated Subscriber User Bypass
vulncheck·2020·CVSS 6.5
CVE-2020-13125 [MEDIUM] Ultimate Addons for Elementor plugin before 1.24.2 for WordPress Unauthenticated Subscriber User Bypass
Ultimate Addons for Elementor plugin before 1.24.2 for WordPress Unauthenticated Subscriber User Bypass
An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.
Affected: brainstormforce ultimate_addons_for_elementor
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2020-13125; https://www.wordfence.com/blog/2020/05/the-elementor-attacks-how-creative-hackers-combined-vulnerabilities-to-take-over-wordpress-si
VulnCheck
elementor elementor_page_builder Unrestricted Upload of File with Dangerous Type
vulncheck·2020·CVSS 6.5
CVE-2020-13126 [MEDIUM] elementor elementor_page_builder Unrestricted Upload of File with Dangerous Type
elementor elementor_page_builder Unrestricted Upload of File with Dangerous Type
An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected.
Affected: elementor elementor_page_builder
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2020-13126; https://www.wordfence.com/blog/2020/05/the-elementor-attacks-how-creative-hackers-combined-vulnerabilities-to-take-over-wordpress-sit
No detection rules found.
Nuclei
Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass
nuclei·CVSS 6.5
CVE-2020-13125 [MEDIUM] Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass
Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass
An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.
Template:
id: CVE-2020-13125
info:
name: Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass
author: daffainfo
severity: high
description: |
An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.
impact: |
Unauthenticated attackers
No writeups or analysis indexed.
https://wpvulndb.com/vulnerabilities/10214https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk/https://wpvulndb.com/vulnerabilities/10214https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk/
2020-05-17
Published
Exploited in the wild