CVE-2020-36700 (page_builder_kingcomposer)

The Page Builder: KingComposer plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.9.3. This is due to a security nonce being leaked in the '/wp-admin/index.php' page. This makes it possible for authenticated attackers to change arbitrary WordPress options, delete arbitrary files/folders, and inject arbitrary content.

attackers authorization builder bypass change cve delete files folders inject leaked nonce options php plugin security vulnerable wordpress wp-admin