Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-1329 PoC — Elementor Website Builder 3.6.0 - 3.6.2 - Missing Authorization to Remote Code Execution

Source
https://github.com/AkuCyberSec/CVE-2022-1329-WordPress-Elementor-3.6.0-3.6.1-3.6.2-Remote-Code-Execution-Exploit
Associated Vulnerability
Title:Elementor Website Builder 3.6.0 - 3.6.2 - Missing Authorization to Remote Code Execution (CVE-2022-1329)
Description:The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
Readme
# WordPress Plugin - Elementor 3.6.0 3.6.1 3.6.2 Remote Code Execution

```
Google Dork: none
Date: April 16 2022
Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)
Vendor Homepage: https://elementor.com/
Software Link: https://wordpress.org/plugins/elementor/advanced/ (scroll down to select the version)
Version: 3.6.0, 3.6.1, 3.62
Tested on: WordPress 5.9.3 (os-independent since this exploit does NOT provide the payload)
CVE : CVE-2022-1329
```

## VULNERABILITY DESCRIPTION

The WordPress plugin called Elementor (v. 3.6.0, 3.6.1, 3.6.2) has a vulnerability that allows any authenticated user to upload and execute any PHP file.

This vulnerability, in the OWASP TOP 10 2021, is placed in position #1 (Broken Access Control)

The file that contains this vulnerability is elementor/core/app/modules/onboarding/module.php

At the end of this file you can find this code:
```
add_action( 'admin_init', function() {
		if ( wp_doing_ajax() &&
			isset( $_POST['action'] ) &&
			isset( $_POST['_nonce'] ) &&
			wp_verify_nonce( $_POST['_nonce'], Ajax::NONCE_KEY )
		) {
			$this->maybe_handle_ajax();
		}
	} );
```

This code is triggered whenever ANY user account visits /wp-admin

In order to work we need the following 4 things:

1. The call must be an "ajax call" (wp_doing_ajax()) and the method must be POST. In order to do this, we only need to call /wp-admin/admin-ajax.php
2. The parameter "action" must be "elementor_upload_and_install_pro" (check out the function named maybe_handle_ajax() in the same file)
3. The parameter "_nonce" must be retrieved after login by inspecting the /wp-admin page (this exploit does this in DoLogin function)
4. The parameter "fileToUpload" must contain the ZIP archive we want to upload (check out the function named upload_and_install_pro() in the same file)

The file we upload must have the following structure:

1. It must be a ZIP file. You can name it as you want.
2. It must contain a folder called "elementor-pro"
3. This folder must contain a file named "elementor-pro.php"

This file will be YOUR payload (e.g. PHP Reverse Shell or anything else)

WARNING: The fake plugin we upload will be activated by Elementor, this means that each time we visit any page we trigger our payload.

If it tries, for example, to connect to an offline host, it could lead to a Denial of Service.

In order to prevent this, I suggest you to use some variable to activate the payload.

Something like this (visit anypage.php?activate=1 in order to continue with the actual payload):

```
if (!isset($_GET['activate']))
return;
```
File Snapshot

 [4.0K]  /data/pocs/a2ce0cacd5ef60c6007352d048cbd8dcdc2093c4
├── [5.9K]  exploit.py
└── [2.5K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →