CVE-2020-36701 HIGH

CVE-2020-36701: Page Builder: KingComposer < 2.9.4 - Arbitrary File Upload

Vendor Kingthemes
Product Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
Weakness CWE-434 · Unrestricted file upload
Published June 7, 2023
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Page Builder: KingComposer plugin for WordPress is vulnerable to Arbitrary File Uploads in versions up to, and including, 2.9.3 via the 'process_bulk_action' function in the 'kingcomposer/includes/kc.extensions.php' file. This makes it possible for authenticated users with author level permissions and above to upload arbitrary files onto the server which can be used to execute code on the server.

Key dates

02Disclosure timeline

June 7, 2023 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2019-25673 UniSharp Laravel File Manager v2.0.0-alpha7 Arbitrary File Upload CVE-2024-11674 CodeAstro Hospital Management System his_doc_update-account.php unrestricted upload CVE-2025-14800 Redirection for Contact Form 7 <= 3.2.7 - Unauthenticated Arbitrary File Copy via move_file_to_upload CVE-2026-1742 EFM ipTIME A8004T VPN Service timepro.cgi commit_vpncli_file_upload unrestricted upload CVE-2025-10907 Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution