On February 15th, 2024, during our second Bug Bounty Extravaganza, we received a submission for an authenticated SQL Injection vulnerability in Tutor LMS, a WordPress plugin with more than 80,000+ active installations.
Props to Muhammad Hassham Nagori who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program.
Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall's built-in SQL Injection protection.
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the question id parameter in all versions up to, and including, 2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
This makes it possible for authenticated attackers, with subscriber/student access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Tutor LMS is a WordPress plugin which includes many features, such as a course builder, quiz and assignment types, dashboard, payment and WooCommerce integration, and a lot of other add-ons.
Insecure implementation of the plugin's Q&A questions query functionality allows for SQL injection.
Typically, the prepare() function would parameterize and escape the SQL query for safe execution in WordPress, thereby providing protection against SQL injection attacks.
This means that prepare() will not actually escape the data being passed to the SQL query, thus making it possible to break out of the current SQL query and inject new queries to extract data.
Union-Based SQL injection is not possible due to the structure of the query, which means an attacker would need to use a Time-Based blind approach to extract information from the database.
This is an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities.
The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.
The Wordfence firewall rule detects the malicious SQL query and blocks the request.
February 15, 2024 - We receive the submission of the SQL Injection vulnerability in Tutor LMS via the Wordfence Bug Bounty Program.
In this blog post, we detailed a SQL Injection vulnerability within the Tutor LMS plugin affecting versions 2.6.1 and earlier.
This vulnerability allows authenticated threat actors to inject malicious SQL queries to steal sensitive information from the database.
The vulnerability has been fully addressed in version 2.6.2 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Tutor LMS. All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are fully protected against this vulnerability.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
This Cyber News was published on www.wordfence.com. Publication date: Tue, 19 Mar 2024 15:13:06 +0000