CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-13865 – Elementor Website Builder <= 2.9.8 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-13865
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes. El plugin Elementor Page Builder versiones anteriores a 2.9.9 para WordPress, sufre de múltiples vulnerabilidades de tipo XSS almacenado. Un usuario autor puede crear publicaciones que resulten en vulnerabilidades de tipo XSS almacenado, mediante el uso de un enlace diseñado en la URL personalizada o mediante la aplicación de atributos personalizados The Elementor Website Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes. • https://www.softwaresecured.com/elementor-page-builder-stored-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13126 – Elementor Pro <= 2.9.3 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2020-13126
An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected. Se detectó un problema en el plugin Elementor Pro versiones anteriores a 2.9.4 para WordPress, como se explotó "in the wild" en Mayo de 2020, en conjunto con CVE-2020-13125. Un atacante con el rol Subscriber puede cargar archivos ejecutables arbitrarios para lograr una ejecución de código remota. • https://wpvulndb.com/vulnerabilities/10214 https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36703 – Elementor Website Builder <= 2.9.7 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-36703
The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG image uploads in versions up to, and including 2.9.7 This makes it possible for authenticated attackers with the upload_files capability to inject arbitrary web scripts in pages that will execute whenever a user accesses the page with the stored web scripts. • https://blog.nintechnet.com/wordpress-elementor-plugin-fixed-svg-xss-protection-bypass-vulnerability https://www.wordfence.com/threat-intel/vulnerabilities/id/42db52ae-f881-4082-b475-8577a28641c6?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-20634 – Elementor Website Builder <= 2.9.5 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2020-20634
Elementor 2.9.5 and below WordPress plugin allows authenticated users to activate its safe mode feature. This can be exploited to disable all security plugins on the blog. El plugin de WordPress Elementor versiones 2.9.5 y anteriores, permite a usuarios autenticados activar su funcionalidad de modo seguro. Esto puede ser explotado para deshabilitar todos los plugin de seguridad en el blog. • https://blog.nintechnet.com/wordpress-elementor-plugin-fixed-safe-mode-privilege-escalation-vulnerability • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-20406 – Elementor Website Builder <= 2.9.2 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-20406
A stored XSS vulnerability exists in the Custom Link Attributes control Affect function in Elementor Page Builder 2.9.2 and earlier versions. It is caused by inadequate filtering on the link custom attributes. Se presenta una vulnerabilidad de tipo XSS almacenado en la función Afectada de control de Custom Link Attributes en Elementor Page Builder versiones 2.9.2 y anteriores. Es debido a un filtrado inadecuado de los atributos personalizados del enlace • https://wordpress.org/plugins/elementor/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •