High severity8.8NVD Advisory· Published Jun 7, 2023· Updated Apr 8, 2026

CVE-2020-36701

Description

The Page Builder: KingComposer plugin for WordPress is vulnerable to Arbitrary File Uploads in versions up to, and including, 2.9.3 via the 'process_bulk_action' function in the 'kingcomposer/includes/kc.extensions.php' file. This makes it possible for authenticated users with author level permissions and above to upload arbitrary files onto the server which can be used to execute code on the server.

Affected products

King Theme/Page Builder Kingcomposer
cpe:2.3:a:king-theme:page_builder_king_composer:*:*:*:*:*:wordpress:*:*
Range: <=2.9.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changesetnvdPatch
blog.nintechnet.com/wordpress-kingcomposer-page-builder-fixed-multiple-critical-vulnerabilities/nvdExploit
www.wordfence.com/threat-intel/vulnerabilities/id/45a62dd0-386c-41b3-b8dd-ced443da9f92nvdThird Party Advisory
wordpress.org/plugins/kingcomposer/nvdProduct

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000