Incorrect permission assignment for critical resource in Ultimate Addons for Elementor

Published: 2020-05-17 | Updated: 2020-07-17
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-13125
Exploitation vector Network
Public exploit N/A
Vulnerable software
Ultimate Addons for Elementor
Web applications / Modules and components for CMS

Vendor Brainstorm Force

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Incorrect permission assignment for critical resource

EUVDB-ID: #VU30286

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-13125

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Exploit availability: No


The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.


Install update from vendor's website.

Vulnerable software versions

Ultimate Addons for Elementor: 1.24.0, 1.24.1

CPE2.3 External links

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.