Incorrect permission assignment for critical resource in Ultimate Addons for Elementor



Published: 2020-05-17 | Updated: 2020-07-17
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-13125
CWE-ID CWE-732
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Ultimate Addons for Elementor
Web applications / Modules and components for CMS

Vendor Brainstorm Force

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Incorrect permission assignment for critical resource

EUVDB-ID: #VU30286

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-13125

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Ultimate Addons for Elementor: 1.24.0 - 1.24.1

External links

http://wpvulndb.com/vulnerabilities/10214
http://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###