vulnerability
WordPress Plugin: elementor-pro: CVE-2020-26596: Improper Privilege Management
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | Oct 6, 2020 | May 15, 2025 | Apr 30, 2026 |
Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Published
Oct 6, 2020
Added
May 15, 2025
Modified
Apr 30, 2026
Description
The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role.
Solution
elementor-pro-plugin-cve-2020-26596
References
- https://www.cve.org/CVERecord?id=CVE-2020-26596
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9ef3f7a2-4ed2-4235-8a6b-f2a5cf288029?source=api-prod
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2020-19141
- CVE-2020-26596
- https://attackerkb.com/topics/CVE-2020-26596
- CWE-269
- EUVD-EUVD-2020-19141
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.