WordPress LMS Tutor Plug-In Flaws PatchedVulnerabilities Enabled Stealing of User Credentials
Researchers with the Wordfence Threat Intelligence team at WordPress security firm Defiant Inc. discovered vulnerabilities in Tutor LMS, a WordPress plug-in installed on over 20,000 sites. The flaws have been patched.
Tutor LMS is a learning-management system for educators that enables them to digitally reach their students and supports course building, student forums and multimedia classes.
The researchers discovered five flaws that could allow hackers to inject and execute arbitrary SQL statements on WordPress sites.
"This made it possible for attackers to obtain information stored in a site’s database, including user credentials, site options and other sensitive information," the researchers note. "The remaining flaws made it possible for authenticated attackers to perform several unauthorized actions, like escalate user privileges and modify course settings, through the use of various AJAX actions."
After it was notified of the issue, Tutor LMS released an initial set of patches on Dec. 30, 2020. A fully patched version of the plug-in was eventually released on Feb. 16 2021, reports Wordfence.
"Several of the patched vulnerabilities are very severe. Therefore, we highly recommend updating to the patched version, 1.8.3, immediately," the researchers note.
Tutor LMS Features
The Tutor LMS capabilities include the ability to create and customize courses with different testing options, accommodate easy user and teacher registration and enable students to leave reviews for courses.
"Tutor LMS allows students to leave reviews for courses. A user does need to be authenticated in order to leave a review, however, it is very easy to register as a student on sites running the Tutor LMS plugin," the researchers note.
Researchers uncovered several unprotected AJAX endpoints in LMS Tutor and described this privilege escalation bug as the most significant flaw.
"The approval process was vulnerable due to a lack of a capability check," the researchers say. This potentially gave students the ability to administer courses, including modifying course information to put malicious content on a site, change grades and create new instructors, they say.
Another flaw in Tutor LMS, a blind-based SQL injection vulnerability, occurs when an SQL statement or query can be added to an already existing SQL query in which the response will only provide a true or false answer rather than providing the full results of a query.
"An attacker can use this to pull information from a database by pulling one character at a time using specially crafted substring function queries," the Wordfence researchers note.
Another flaw is a time-based SQL injection vulnerability that occurs when an SQL statement or query is added to an already existing SQL query. But researchers say that no data can be gathered explicitly from a response.
"Instead, you must rely on the use of time-based SQL functions like SLEEP() and WAITFOR() while observing the response time to obtain results of the query from the database. Just like with blind-based SQL Injection, an attacker would use this to pull information from a database one character at a time using specially crafted queries containing time-based functions," the researchers say.
An additional vulnerability, a UNION-based SQL injection, occurs when an additional SQL query can be added to an already existing SQL query as a UNION operator. "This is one of the simplest and easiest forms of SQL Injection vulnerability that can be exploited. An attacker could use this type of SQLi to pull data from anywhere in the database using a simple query like SELECT * FROM wp_users;. With that query, all rows from the wp_users table would be returned," the researchers note.