CVE-2020-36700 HIGH

CVE-2020-36700: Page Builder: KingComposer < 2.9.4 - Authorization Bypass due to Improper Access Control

Vendor Kingthemes
Product Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
Weakness CWE-284
Published June 7, 2023
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Page Builder: KingComposer plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.9.3. This is due to a security nonce being leaked in the '/wp-admin/index.php' page. This makes it possible for authenticated attackers to change arbitrary WordPress options, delete arbitrary files/folders, and inject arbitrary content.

Key dates

02Disclosure timeline

June 7, 2023 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-32768 Chall-Manager's invalid NetworkPolicy enables a malicious actor to pivot into another namespace CVE-2018-15372 Cisco IOS XE Software MACsec MKA Using EAP-TLS Authentication Bypass Vulnerability CVE-2021-28505 On affected Arista EOS platforms, if a VXLAN match rule exists in an IPv4 access-list that is applied to the ingress of an L2 or an L3 port/SVI, the VXLAN rule and subsequent ACL rules in that access list will ignore the specified IP protocol. CVE-2026-47200 Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*` CVE-2019-10127