关联漏洞
标题:Elementor安全漏洞 (CVE-2022-1329)Description:Elementor是以色列Elementor公司的一个网站构建器,允许WordPress用户创建和编辑网站。 Elementor 版本 3.6.0 到 3.6.2存在安全漏洞,目前暂无该漏洞信息,请随时关注CNNVD或厂商公告。
Description
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to o CVE project by @Sn0wAlice
介绍
# CVE-2022-1329
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
| authentication | complexity | vector |
| --- | --- | --- |
| SINGLE | LOW | NETWORK |
| confidentiality | integrity | availability |
| --- | --- | --- |
| PARTIAL | PARTIAL | PARTIAL |
## CVSS Score: **6.5**
## References
* https://plugins.trac.wordpress.org/changeset/2708766/elementor/trunk/core/app/modules/onboarding/module.php
* https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/
* https://www.pluginvulnerabilities.com/2022/04/12/5-million-install-wordpress-plugin-elementor-contains-authenticated-remote-code-execution-rce-vulnerability/
* http://packetstormsecurity.com/files/168615/WordPress-Elementor-3.6.2-Shell-Upload.html
## Brut File
* [CVE-2022-1329.json](./data_brut.json)
## External Repositories
| Name | Link |
| --- | --- |
| CVE-2022-1329 | [CVE-2022-1329](https://github.com/mcdulltii/CVE-2022-1329) |
| CVE-2022-1329-WordPress-Elementor-3.6.0-3.6.1-3.6.2-Remote-Code-Execution-Exploit | [CVE-2022-1329-WordPress-Elementor-3.6.0-3.6.1-3.6.2-Remote-Code-Execution-Exploit](https://github.com/AkuCyberSec/CVE-2022-1329-WordPress-Elementor-3.6.0-3.6.1-3.6.2-Remote-Code-Execution-Exploit) |
| CVE-2022-1329-WordPress-Elementor-RCE | [CVE-2022-1329-WordPress-Elementor-RCE](https://github.com/Grazee/CVE-2022-1329-WordPress-Elementor-RCE) |
## About this repository
This repository is part of the project [Live Hack CVE](https://github.com/Live-Hack-CVE). Made by [Sn0wAlice](https://github.com/Sn0wAlice) for the people that care about security and need to have a feed of the latest CVEs. Hope you enjoy it, don't forget to star the repo and follow me on [Twitter](https://twitter.com/Sn0wAlice) and [Github](https://github.com/Sn0wAlice)
文件快照
[4.0K] /data/pocs/55d359b632ca7a716c0f99841abd898b249e9ec3
├── [1.7K] data_brut.json
└── [2.1K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。