Vulnerability identifier: #VU30286

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-13125

CWE-ID: CWE-732

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ultimate Addons for Elementor
Web applications / Modules and components for CMS

Vendor: Brainstorm Force

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Ultimate Addons for Elementor: 1.24.0 - 1.24.1

---

External links
http://wpvulndb.com/vulnerabilities/10214
http://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.