Share
## https://sploitus.com/exploit?id=1C02DF0B-7ED8-517D-9DD8-A588E6307140
# Royal Elementor Addons โ‰ค 1.3.78 โ€“ Unauthenticated Arbitrary File Upload (RCE)

## ๐Ÿ“Œ Overview

This repository contains a **modified proof-of-concept exploit** for the WordPress plugin  
**Royal Elementor Addons and Templates** (versions **โ‰ค 1.3.78**).

The vulnerability allows **unauthenticated arbitrary file upload**, which can be abused to upload
a PHP file and achieve **Remote Code Execution (RCE)**.

- **CVE**: CVE-2023-5360
- **Vulnerability Type**: Unauthenticated File Upload โ†’ RCE
- **Affected Plugin**: Royal Elementor Addons and Templates
- **Fixed Version**: 1.3.79+

---

## ๐Ÿ”ง Modification Notes

This version is a **fully rewritten variant** of the original exploit with the following changes:

- โœ… Uses **ONLY Python standard library**
- โŒ No third-party dependencies (`requests`, `rich`, etc.)
- ๐Ÿ”„ Replaced `requests` โ†’ `urllib.request`
- ๐Ÿ”„ Replaced `rich` output โ†’ native `print()`
- ๐Ÿ” SSL verification disabled via `ssl` module
- ๐Ÿงช Intended for **CTF labs, security research, and learning purposes**

All original exploitation logic remains intact.

---

## ๐Ÿง  How the Vulnerability Works

The plugin exposes an AJAX endpoint:
- /wp-admin/admin-ajax.php


This endpoint:
- Accepts file uploads
- Relies on a **client-side nonce**
- Fails to properly validate file extensions

By abusing the `allowed_file_types` parameter and using a crafted filename
(e.g. `ph$p`), it is possible to upload a PHP file that executes on the server.

---

## ๐Ÿ“ฆ Features

- Automatic nonce extraction from `WprConfig` JavaScript object
- Supports custom PHP shell upload
- Generates a default PHP web shell if none is provided
- Returns the uploaded shell URL on success
- Works against both HTTP and HTTPS targets

---

## ๐Ÿ›  Requirements

- Python **3.7+**
- Target running:
  - WordPress
  - Royal Elementor Addons โ‰ค 1.3.78

No additional Python libraries required.

---

## ๐Ÿš€ Usage

### Basic usage (auto-generated shell)
```bash
python3 exploit.py -u https://target-site.com/
```

## Upload a custom PHP shell
```bash
python3 exploit.py -u https://target-site.com/ -f shell.php
```

## Example successful output
```bash
[+] Shell uploaded successfully: https://target-site.com/wp-content/uploads/royal-addons/poc.ph$p
[>] Access it with: ?cmd=id
```

## ๐Ÿงช Tested Environment

- WordPress 6.3.1
- Royal Elementor Addons 1.3.78
- Ubuntu 22.04
- Apache2
- PHP 8.1

## โš ๏ธ Disclaimer

This code is provided strictly for educational purposes, security research, and authorized testing only.

- โŒ Do NOT use against systems you do not own or have explicit permission to test

- โŒ Unauthorized use may be illegal

- โœ… The author is not responsible for misuse

## ๐Ÿ‘ค Credits
### Original Exploit

- Author: Sheikh Mohammad Hasan
- GitHub: https://github.com/4m3rr0r
- Exploit-DB ID: 52127

### Modified Version

- Modified by: Laviru Dilshan Jr.
- Purpose: CTFs & Security Research
- Github: https://github.com/LaviruDilshan
- Changes: Standard-library-only rewrite

## ๐Ÿ“š References
- https://nvd.nist.gov/vuln/detail/CVE-2023-5360
- https://wordpress.org/plugins/royal-elementor-addons/
- https://www.exploit-db.com/exploits/52127