what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Elementor 3.18.1 File Upload / Remote Code Execution

WordPress Elementor 3.18.1 File Upload / Remote Code Execution
Posted Dec 8, 2023
Authored by Hong Quan | Site wordfence.com

WordPress Elementor plugin versions 3.18.1 and below are vulnerability to remote code execution via file upload in the template import functionality.

tags | advisory, remote, code execution, file upload
advisories | CVE-2023-48777
SHA-256 | 01b8a0f082e0d770b2fe9e58091dad5e9f1821358bb5f9846f04097a0d15c05c

WordPress Elementor 3.18.1 File Upload / Remote Code Execution

Change Mirror Download
Vulnerability Summary from Wordfence Intelligence

Description: Elementor <= 3.18.1 Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import

Affected Plugin: Elementor

Plugin Slug: elementor

Affected Versions: <= 3.18.1

CVE ID: CVE-2023-48777

Pending CVSS Score: 8.8 (Highl)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Researcher/s: Hồng Quân

Fully Patched Version: 3.18.2

The Elementor Website Builder plugin for WordPress is vulnerable to Remote Code Execution via file upload in all versions up to and including 3.18.1 via the template import functionality. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files and execute code on the server. Technical Analysis The source of the issue is the handle_elementor_upload function called by the import_template Elementor AJAX function, which is accessible to Contributor-level users and above. Although it uses file type validation, vulnerable versions first save the uploaded file to a temporary directory before checking the file type, and do not delete the temporary file if it fails this validation:

public function handle_elementor_upload( array $file, $allowed_file_extensions = null{

// If $file['fileData'] is set, it signals that the passed file is a Base64 string that needs to be decoded and

// saved to a temporary file.

if ( isset( $file['fileData']) {

$file = $this->save_base64_to_tmp_file( $file );

}

$validation_result = $this->validate_file( $file, $allowed_file_extensions );

if ( is_wp_error( $validation_result) {

return $validation_result;

}

return $file;

}

This means that contributors with access to the Elementor editor could upload files of any type and they will be saved in a temporary directory with a randomized name. While attackers exploiting versions before 3.18.1 could use directory traversal to move the uploaded file into a more predictable location, the 3.18.1 partial patch sanitized the filename, meaning that it could only be uploaded directly to the temporary directory.

Since the exploit returns a 500 error and provides no feedback on the location of the temporary directory, attackers would have difficulty finding the uploaded file unless directory indexing was enabled on the server, which is no longer common due to the many security risks it presents.

Conclusion

In today's PSA, we covered a file upload vulnerability in Elementor affecting versions 3.18.1 and earlier. We strongly recommend updating to the latest version of Elementor, which is 3.18.2 as of this writing, as soon as possible, as this is a high-severity vulnerability which can be used by attackers to upload files and take control of a site.

All Wordfence users, including those running Wordfence Premium , Wordfence Care , and Wordfence Response, are fully protected against this vulnerability.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

Did you know that Wordfence has a Bug Bounty Program ? We’ve recently increased our bounties by 6.25x until December 20th, 2023, with our bounties for the most critical vulnerabilities reaching $10,000 USD! If you’re an aspiring or current vulnerability researcher, click here to sign up.

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close