CVE-2020-13125 : What You Need to Know

An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.

Understanding CVE-2020-13125

This CVE relates to a vulnerability in the "Ultimate Addons for Elementor" plugin for WordPress.

What is CVE-2020-13125?

CVE-2020-13125 is a security vulnerability found in the "Ultimate Addons for Elementor" plugin before version 1.24.2 for WordPress. It allows unauthenticated attackers to create users with the Subscriber role, even when registration is disabled.

The Impact of CVE-2020-13125

The impact of this vulnerability is rated as HIGH with a CVSS base score of 7.2. It poses a risk of unauthorized user creation on affected WordPress sites.

Technical Details of CVE-2020-13125

This section provides more technical insights into the CVE.

Vulnerability Description

The vulnerability allows unauthenticated attackers to create users with the Subscriber role on WordPress sites using the affected plugin.

Affected Systems and Versions

Product: n/a
Vendor: n/a
Versions affected: n/a

Exploitation Mechanism

Attack Complexity: LOW
Attack Vector: NETWORK
Privileges Required: NONE
User Interaction: NONE
Scope: CHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: NONE

Mitigation and Prevention

To address CVE-2020-13125, follow these mitigation steps:

Immediate Steps to Take

Update the "Ultimate Addons for Elementor" plugin to version 1.24.2 or newer.
Monitor user registrations and review user roles regularly.

Long-Term Security Practices

Regularly update all plugins and themes on your WordPress site.
Implement strong password policies and user role management.

Patching and Updates

Ensure timely installation of security patches and updates for all WordPress plugins and themes.