WordPress LifterLMS plugin version 4.21.1 suffers from an insecure direct object reference vulnerability.
a9bf8e3988c933dcf42e033244229a8b5073b6a3826a785692f104874ed4a3e5# Exploit Title: WordPress Plugin LifterLMS 4.21.1 - Access Other Student Grades/Answers via IDOR
# Date: 2021-05-17
# Exploit Author: captain_hook
# Vendor Homepage: https://lifterlms.com
# Software Link: https://lifterlms.com
# Version: 4.21.1
# Tested on: any
Description
The plugin was affected by an IDOR issue, allowing students to see other student answers and grades
Proof of Concept
- Add 2 users with Student role for the scenario .
- Create A course With a quiz ( I picked True or Flase question for my quiz)
- Set Enrol on Free ( for the ease of scenario )
- Enrol into the Course with Student B and submit your answer to the Course .
The plugin will give a token like :
https://soft-dream.myliftersite.com/quiz/%d8%ac%d9%85%d8%b9-quiz/?attempt_key=wYK
To Check your answer was true or false.
Now Login as a Student A and Enroll in the Course. You can just use
the URL https://soft-dream.myliftersite.com/quiz/%d8%ac%d9%85%d8%b9-quiz/?attempt_key=wYK
and reach the Student B answer.
Fixed in version 4.21.2✓
References
https://make.lifterlms.com/2021/05/17/lifterlms-version-4-21-2/
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed