CVE-2023-5360: Unauthenticated File Upload Vulnerability in Royal Elementor Addons and Templates WordPress Plugin

The Royal Elementor Addons and Templates WordPress plugin have been reported to contain a critical vulnerability tracked as CVE-2023-5360. Before version 1.3.79, the plugin did not properly validate uploaded files, enabling unauthenticated users to upload arbitrary files - including malicious PHP files. The exploitation of this vulnerability could lead to Remote Code Execution (RCE) by unauthorized attackers. In this post, we will provide an in-depth analysis of this vulnerability, code snippets demonstrating the improper file validation, and details on how to exploit the issue.

Background

The Royal Elementor Addons and Templates plugin is a popular add-on for the Elementor page builder, providing additional design options and widgets for WordPress users. With over 10,000 active installations, it has become a widely used tool among web developers and designers. Unfortunately, the vulnerability in this plugin (CVE-2023-5360) poses a significant risk to all websites with the plugin installed.

Vulnerability Details

The vulnerability stems from improper validation of uploaded files. When a user uploads a file to their WordPress site, the plugin should check that the file is valid and safe before allowing the upload. However, the Royal Elementor plugin failed to do so, enabling attackers to upload potentially malicious files. The following code snippet demonstrates the lack of validation:

// Royal Elementor Addons and Templates before 1.3.79
function handle_file_upload() {
  if (isset($_FILES['upload'])) {
    move_uploaded_file($_FILES['upload']['tmp_name'], $_FILES['upload']['name']);
  }
}

As we can see, the code does not include any verification checks to ensure the uploaded file is safe.

Exploit Details

To exploit this vulnerability, an attacker could craft a malicious PHP file and upload it to the target WordPress site (assuming they have the Royal Elementor plugin installed). Once uploaded, the attacker could then execute the PHP file remotely, which could lead to RCE, compromising the website and potentially gaining control of the server.

To illustrate, an attacker might create a PHP file named "exploit.php" with the following contents

<?php
  system($_GET['cmd']);
?>

The attacker then uploads this file to the target website. After a successful upload, the attacker could remotely execute commands by accessing the uploaded file using a URL such as:

http://example.com/wp-content/uploads/exploit.php?cmd=[malicious-command-here]

As a result, the attacker would gain unauthorized control over the targeted website's server.

Mitigation Steps

The vulnerability has been fixed in version 1.3.79 of the Royal Elementor Addons and Templates plugin. To protect against similar issues, we recommend all WordPress users promptly update their Royal Elementor plugin installations to the latest version.

Conclusion

In summary, CVE-2023-5360 is a critical unauthenticated file upload vulnerability in the Royal Elementor Addons and Templates plugin. The exploitation could allow attackers to execute malicious code on affected websites, effectively gaining control of the host server. To ensure your WordPress site remains secure against this threat, be sure to update to version 1.3.79 of the Royal Elementor plugin or later.

Timeline

Published on: 10/31/2023 14:15:12 UTC
Last modified on: 11/29/2023 15:15:10 UTC