CVE-2020-13126

An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected.

Published: May 17, 2020
Updated: Sep 5, 2025
CVE: CVE-2020-13126
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.9
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-434

Affected Software
References

Software	From	Fixed in
elementor / elementor_page_builder	-	2.9.4
elementor-pro	-	2.9.4

https://blog.nintechnet.com/zero-day-vulnerability-exploited-in-elementor-pro/
https://wpvulndb.com/vulnerabilities/10214
https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk/

Vulnerability Database

CVE-2020-13126

Deep Security Visibility Without the Complexity