## https://sploitus.com/exploit?id=1C02DF0B-7ED8-517D-9DD8-A588E6307140
# Royal Elementor Addons โค 1.3.78 โ Unauthenticated Arbitrary File Upload (RCE)
## ๐ Overview
This repository contains a **modified proof-of-concept exploit** for the WordPress plugin
**Royal Elementor Addons and Templates** (versions **โค 1.3.78**).
The vulnerability allows **unauthenticated arbitrary file upload**, which can be abused to upload
a PHP file and achieve **Remote Code Execution (RCE)**.
- **CVE**: CVE-2023-5360
- **Vulnerability Type**: Unauthenticated File Upload โ RCE
- **Affected Plugin**: Royal Elementor Addons and Templates
- **Fixed Version**: 1.3.79+
---
## ๐ง Modification Notes
This version is a **fully rewritten variant** of the original exploit with the following changes:
- โ Uses **ONLY Python standard library**
- โ No third-party dependencies (`requests`, `rich`, etc.)
- ๐ Replaced `requests` โ `urllib.request`
- ๐ Replaced `rich` output โ native `print()`
- ๐ SSL verification disabled via `ssl` module
- ๐งช Intended for **CTF labs, security research, and learning purposes**
All original exploitation logic remains intact.
---
## ๐ง How the Vulnerability Works
The plugin exposes an AJAX endpoint:
- /wp-admin/admin-ajax.php
This endpoint:
- Accepts file uploads
- Relies on a **client-side nonce**
- Fails to properly validate file extensions
By abusing the `allowed_file_types` parameter and using a crafted filename
(e.g. `ph$p`), it is possible to upload a PHP file that executes on the server.
---
## ๐ฆ Features
- Automatic nonce extraction from `WprConfig` JavaScript object
- Supports custom PHP shell upload
- Generates a default PHP web shell if none is provided
- Returns the uploaded shell URL on success
- Works against both HTTP and HTTPS targets
---
## ๐ Requirements
- Python **3.7+**
- Target running:
- WordPress
- Royal Elementor Addons โค 1.3.78
No additional Python libraries required.
---
## ๐ Usage
### Basic usage (auto-generated shell)
```bash
python3 exploit.py -u https://target-site.com/
```
## Upload a custom PHP shell
```bash
python3 exploit.py -u https://target-site.com/ -f shell.php
```
## Example successful output
```bash
[+] Shell uploaded successfully: https://target-site.com/wp-content/uploads/royal-addons/poc.ph$p
[>] Access it with: ?cmd=id
```
## ๐งช Tested Environment
- WordPress 6.3.1
- Royal Elementor Addons 1.3.78
- Ubuntu 22.04
- Apache2
- PHP 8.1
## โ ๏ธ Disclaimer
This code is provided strictly for educational purposes, security research, and authorized testing only.
- โ Do NOT use against systems you do not own or have explicit permission to test
- โ Unauthorized use may be illegal
- โ The author is not responsible for misuse
## ๐ค Credits
### Original Exploit
- Author: Sheikh Mohammad Hasan
- GitHub: https://github.com/4m3rr0r
- Exploit-DB ID: 52127
### Modified Version
- Modified by: Laviru Dilshan Jr.
- Purpose: CTFs & Security Research
- Github: https://github.com/LaviruDilshan
- Changes: Standard-library-only rewrite
## ๐ References
- https://nvd.nist.gov/vuln/detail/CVE-2023-5360
- https://wordpress.org/plugins/royal-elementor-addons/
- https://www.exploit-db.com/exploits/52127