cbcvebase.
CVE-2023-5360
published 2023-10-31

CVE-2023-5360: The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
81.69%
99.6th percentile
The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE.

Affected

1 ranges
VendorProductVersion rangeFixed in
royal-elementor-addonsroyal_elementor_addons< 1.3.791.3.79

Detection & IOCsextracted from sources · hover to see the quote

path/wp-admin/admin-ajax.php
path/wp-content/uploads/wpr-addons/forms/
otherallowed_file_types: ph$p
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Suspected WordPress Plugin Royal Elementor RCE (CVE-2023-5360)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-admin/admin-ajax.php"; endswith; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.request_body; content:"form-data|3b 20|name=|22|wpr_addons_nonce|22|"; fast_pattern; content:"form-data|3b 20|name=|22|max_file_size|22|"; distance:0; content:"form-data|3b 20|name=|22|allowed_file_types|22|"; distance:0; content:"form-data|3b 20|name=|22|triggering_event|22|"; distance:0; content:"form-data|3b 20|name=|22|uploaded_file|22 3b 20|"; distance:0; reference:url,nvd.nist.gov/vuln/detail/CVE-2023-5360; reference:cve,2023-5360; classtype:attempted-admin; sid:2049627; rev:1;)
  • Exploit POST requests target /wp-admin/admin-ajax.php with multipart/form-data body containing fields: wpr_addons_nonce, max_file_size, allowed_file_types, triggering_event, and uploaded_file — all present in a single request.
  • The bypass technique manipulates the 'allowed_file_types' field value to 'ph$p' (or similar obfuscated PHP extension) to circumvent the plugin's extension allowlist validation.
  • After successful exploitation, monitor for newly created PHP webshells under the path /wp-content/uploads/wpr-addons/forms/*.php.
  • Monitor WordPress user creation events for the rogue admin account named 'wordpress_administrator', which is a strong indicator of post-exploitation activity.
  • Nonce value for the exploit request can be extracted from the page source via the WprConfig JavaScript object: regex 'WprConfig\s*=\s*{[^}]*"nonce"\s*:\s*"([^"]*)"'.
  • Attack volume spiked significantly starting October 3, 2023; the majority of attacks originated from just two IP addresses, suggesting a narrow threat actor set.
  • ·The vulnerability only affects Royal Elementor Addons and Templates versions prior to 1.3.79; version 1.3.79 contains the patch.
  • ·Updating to version 1.3.79 does NOT automatically remove already-uploaded malicious files or infections; manual site cleanup is required post-patching.
  • ·The exploit is unauthenticated — no WordPress credentials are required to trigger the file upload, making all internet-exposed instances of the vulnerable plugin at risk.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.