CVE-2020-26596

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-26596
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26596.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-26596
Published
2020-10-07T16:15:17.343Z
Modified
2026-04-10T04:25:27.981001Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role.

References

Affected packages

Git / github.com/wordpress/wordpress

Affected ranges

Type
GIT
Repo
https://github.com/wordpress/wordpress
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
eeb510dffc5c706f1477d0455f12502a2c870937
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.0.5"
        }
    ]
}

Affected versions

3.*
3.0.5

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26596.json"