PSA: Critical Unauthenticated Arbitrary File Upload Vulnerability in Royal Elementor Addons and Templates Being Actively Exploited

Update: Wordfence has released a malware detection signature for wp.ph$p to Wordfence Premium, Wordfence Care, Wordfence Response, and the paid tiers of Wordfence CLI as of Monday, October 16, 2023.

Today, on October 13, 2023, the Wordfence Threat Intelligence Team became aware of a vulnerability that was recently patched in Royal Elementor Addons and Templates, a WordPress plugin installed on over 200,000 sites, that makes it possible for unauthenticated attackers to upload arbitrary files to vulnerable sites.

This allows unauthenticated attackers to upload PHP files containing malicious content, such as a backdoor, that makes remote code execution possible and leads to a complete compromise of the site. We have blocked over 46,169 attacks targeting this vulnerability in the past 30 days, and reviewing our data revealed that attacks started on or around August 30th, 2023, though we also have evidence that the exploit was being actively developed as early as July 27, 2023.

All Wordfence users running Premium, Care, or Response, as well as those still running the free version of the Wordfence plugin, are protected by the Wordfence firewall’s built in malicious file upload protection. However, we still strongly encourage users to ensure their sites are updated to the latest patched version of the plugin which is 1.3.79 due to the fact that this vulnerability is being actively exploited.

This vulnerability was originally discovered by Fioravante Souza from WPScan, and you can find all applicable references in the Wordfence Intelligence Database.

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.3.78. This is due to insufficient file type validation in the handle_file_upload() function called via AJAX which allows attackers to supply a preferred filetype extension to the ‘allowed_file_types‘ parameter, with a special character, which makes it possible for the uploaded file to bypass their filter list. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.

Due to the fact that this vulnerability is being actively exploited, we are keeping information about the technical specifications of this vulnerability limited.

Indicators of Compromise

Our earliest indicator that this vulnerability was targeted was on August 30th, well before the vulnerability was patched, however, we only see a few attacks here and there around the early days with attacks starting to ramp up later around October 3rd, 2023. In the past 30 days, we have blocked over 46,169 attacks.

A majority of the attacks appear to be coming from just the following three IP Addresses:

• 65.21.22.78 with 33,255 attacks blocked.
• 2a01:4f9:3080:4eea::2 with 12,289 attacks blocked.
• 135.181.181.50 with 206 attacks blocked.

From our data, it appears that attackers have been attempting to place files named b1ack.p$hp, which has an md5 hash of 1635f34d9c1da30ff5438e06d3ea6590 and can be used to place additional PHP files on the site, as well as wp.ph$p which has an md5 hash of bac83f216eba23a865c591dbea427f22 and inserts a malicious administrator. The Wordfence scanner has had detection for b1ack.p$hp since December 2019, and we have written a signature to detect wp.ph$p which will be released as soon as it passes our quality assurance process.

b1ack.p$hp contains the following code:

wp.ph$p contains the following code:

We recommend all site owners run a malware scan using Wordfence CLI, with the commercial signature set, or the Wordfence plugin, if utilizing the Royal Elementor Addons and Templates plugin to ensure their site has not been compromised as a result of this vulnerability.

If you believe your site has been compromised as a result of this vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

Conclusion

In today’s post, we detailed attacks against a critical unauthenticated arbitrary file upload vulnerability in the Royal Elementor Addons and Templates plugin for WordPress that has been patched, but is actively being exploited. This vulnerability can be leveraged to upload a malicious PHP file that will make remote code execution on the server possible.

As a reminder, all Wordfence users running Premium, Care, or Response, as well as those still running the free version of the Wordfence plugin, are protected by the Wordfence firewall’s built in malicious file upload protection. However, we still strongly encourage users to ensure their sites are updated to the latest patched version of the plugin which is 1.3.79 due to the fact that this vulnerability is being actively exploited.

If you know someone who uses this plugin, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

Special thanks to Ramuel Gall, Wordfence Senior Security Researcher, for assistance researching this vulnerability, analyzing the attack data, and ensuring our users have adequate protection and detection coverage.