CVE-2022–1329 — RCE in Wordpress plugin “Elementor”

We recommend you to read our previous post to get better understanding of the CVE analysis Research project. As part of this project, Yogesh worked on performing deep dive into CVE-2022–1329. (Refer original report on github)

About Product

Elementor is a drag and drop website builder plugin for WordPress, that works on any theme and allows you to create and edit pages without code. Vulnerable version include elementor Plugin Version: 3.6.0, 3.6.1, 3.62 WordPress Version: 5.9.3

Vulnerability

A vulnerability was found in Elementor Website Builder Plugin 3.6.0/3.6.2 on WordPress (WordPress Plugin). It has a CVSS score of 8.8 and affects an unknown code block of the file ~/core/app/modules/onboarding/module.php of the component AJAX Action Handler. The flaw allows any authenticated user to upload arbitrary PHP code on the site running a vulnerable version of the Elementor plugin, which enables the malicious user to take over the site or access additional resources on the server. Attacker leverages Broken Access Control (#1 in OWASP TOP 10 2021)

The Vulnerable function is add_action() which is a part of Wordpress API , is responsible to call a private function upload_and_install_pro() indirectly, which allow us to upload a ZIP file and install the pro version of elementor.

The admin_init is triggered whenever a user visits the wp-admin page no matter if we are regular user or admin user.

his expects a ZIP file in which there is a folder named “elementor-pro” as plugin which activates the elementorpro.php present in the elementor folder.

Methodology

In order to work we need the following 4 things:

#1 The call must be an “ajax call” (wp_doing_ajax()) and the method must be POST. In order to do this, we only need to call /wp-admin/admin-ajax.php

#2 The parameter “action” must be “elementor_upload_and_install_pro” (check out the function named maybe_handle_ajax() in the same file)

#3 The parameter “_nonce” must be retrieved after login by inspecting the /wp-admin page (this exploit does this in DoLogin function)

#4 The parameter “fileToUpload” must contain the ZIP archive we want to upload (check out the function named upload_and_install_pro() in the same file)

The file we upload must have the following structure:

1. It must be a ZIP file. You can name it as you want.
2. It must contain a folder called “elementor-pro”
3. This folder must contain a file named “elementor-pro.php

Exploit/Proof of Concept

Following steps can be used to test your environment.

#1 Have a proper setup in which you have made a static site using WordPress which has the elementor plugin installed in it (the version of the elementor should be 3.6.0 to 3.6.2) in your localhost. You should also have the guest account which doesn’t have high privileges.

#2 Make a ZIP file which have the “elementor-pro” folder in it, which would have the PHP Reverse shell named as “elementor-pro.php”, to make it legitimate we must add the header which is used by the WordPress to display the information about the plugin in admin control panel. And add your machine IP address and port in which you must listen and get a PHP reverse shell

#3 First, we have to verify that we are able to get the value of nonce (Nonce is a number or key used once. WordPress uses Nonces to protect URLs and forms from getting misused by malicious hack attempts). If your exploit is successfully executed, you will get this

Now make the necessary changes in the exploit (i.e., base URL, file path of ZIP archive, username & password)

Run the exploit and you would get the result as Reverse shell in the port that you are listening.

Also, we can verify that when there is an addition of the elementor-pro folder in the plugin under wp-content folder in WordPress directory.

Mitigation

Update the vulnerable version of elementor plugin and WordPress to the latest — https://elementor.com/blog/update-wordpress/

References

https://github.com/AkuCyberSec/CVE-2022-1329-WordPress-Elementor-3.6.0-3.6.1-3.6.2-Remote-Code-Execution-Exploit https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php • https://nvd.nist.gov/vuln/detail/CVE-2022-1329 https://www.youtube.com/watch?v=tIhN1svzAYk https://www.youtube.com/watch?v=GlLRYml8mCY