Executive Summary

This vulnerability exists in the Royal Elementor Addons and Templates WordPress plugin versions before 1.7.1037. It is caused by improper authorization, which allows unauthenticated users to upload media files via the 'wpr_addons_upload_file' AJAX action. An attacker can exploit this by obtaining a nonce value from the site's JavaScript configuration and then sending a crafted POST request to upload arbitrary files to the server without needing to log in. [1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows unauthenticated attackers to upload arbitrary files to the server, which can lead to unauthorized file uploads. This can result in malicious files being hosted on the website, potentially enabling further attacks such as remote code execution, defacement, or distribution of malware. It compromises the security and integrity of the affected website. [1]

Useful 0 Not Useful 0

Detection Guidance

You can detect this vulnerability by attempting to upload a file via the vulnerable AJAX action without authentication. First, retrieve the nonce value `wpr_addons_nonce` from the JavaScript object `WprConfig` in the browser console. Then, use a curl command to POST a file upload request to `http://example.com/wp-admin/admin-ajax.php` with form data including `action=wpr_addons_upload_file`, `triggering_event=click`, the retrieved nonce, and the file to upload. If the file uploads successfully and is accessible under `/wp-content/uploads/wpr-addons/forms`, the system is vulnerable. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Royal Elementor Addons and Templates WordPress plugin to version 1.7.1037 or later, where the issue has been fixed. [1]

Useful 0 Not Useful 0