Tutor LMS for WordPress Open to Info-Stealing Security Holes

tutor lms security

The popular learning-management system for teacher-student communication is rife with SQL-injection vulnerabilities.

Security vulnerabilities in Tutor LMS, a WordPress plugin installed on more than 20,000 sites, open the door to information theft and privilege escalation, according to researchers.

Tutor LMS is a learning-management system for educators that allows them to digitally reach their students. It supports course-building, student forums, multimedia classes and more. According to an analysis from Wordfence, there are five critical SQL-injection flaws in the plugin, and at least one high-severity bug stemming from unprotected AJAX endpoints.

The former “make it possible for attackers to obtain information stored in a site’s database, including user credentials, site options and other sensitive information,” researchers explained, in a posting this week.

The remaining flaws allow authenticated attackers to elevate user privileges and alter course content and settings, through the use of various AJAX actions.

Site administrators should update to the patched version, Tutor LMS v.1.8.3.

Medium-Severity SQL-Injection Bugs

The five SQL-injection vulnerabilities all rate 6.5 out of 10 on the CVSS vulnerability-rating scale, making them medium in severity. CVEs are pending for all.

The first SQL-injection issue exists in a review feature in Tutor LMS that allows students to rate their courses.

Tutor LMS offers a range of digital learning features. Click to enlarge.

To enter a rating, the plugin uses an AJAX action to process the request, according to Wordfence. If a review already exists for the current user and course, it will update the rating – if it’s new, it will create a new review and rating and add it to the database.

“By using get_var() without the use of prepare() when checking for the existence of a review, along with no SQL sanitization on the user-supplied variables, a user could inject arbitrary SQL statements while leaving a review,” researchers explained, adding that a user would need to be authenticated to carry out an attack (though creating a student profile can be easy).

The injected arbitrary SQL statements could open the door to snatching information from the site’s database, including login details for users.

“In some cases, where a MySQL server is insecurely configured, this could allow an attacker to read files and create new files containing web shells along with modifying information in the database,” researchers added.

Another SQL-injection issue was found in the ability for teachers to mark answers as correct once they have been submitted by a student.

In this case, the plugin uses an AJAX action to retrieve the initial student answer recorded in the database, while using the user-supplied value from the POST parameter answer_id as the answer ID.

Gradebooks in Tutor LMS. Click to enlarge.

“Unfortunately, there was no SQL sanitization on the user-supplied value, nor was the function using a prepared statement, making it possible for SQL queries to be injected,” according to Wordfence.

Researchers added, “This functionality was intended to be used by teachers and administrators only, however, since it was an AJAX action with no nonce protection or capability checks in place, this meant that any authenticated user, including students, had the ability to execute this action and exploit the SQL injection vulnerability.”

The team also found three UNION-based SQL-injection vulnerabilities. This type of weakness occurs when an SQL query can be joined to an already existing query, using a UNION operator. UNION operators combine results of two different queries together.

“This differs from the previous two SQL-injection types discussed because data can easily be extracted by simply adding an additional query to the already existing query, through the use of the UNION operator,” researchers explained. “This is one of the simplest, and easiest, forms of SQL-injection vulnerability that can be exploited.”

UNION-Based SQL Bugs

The first of these vulnerabilities exists in the Tutor LMS feature that allows teachers to retrieve a set of answers for a given question, while analyzing the response of students.

In order to provide this functionality, the plugin uses “get_results()” to obtain the answers from the database.

“Again, there was no SQL sanitization on the user-supplied input, nor was there any use of prepared statements,” researchers said. “This made it possible for an attacker to supply a UNION query in the ‘question_id’ parameter that would execute and provide the direct results of the query in the response to the request.”

The Tutor LMS quiz-builder. Click to enlarge.

The second UNION-based bug lies in the ability to build quizzes as a teacher on a site. The function uses various AJAX actions to make the quiz-building process easy and require fewer page reloads.

“When the ‘question_id’ parameter is supplied, the function uses ‘get_row()’ to obtain the answer data from the database,” according to Wordfence. Here again, there was no SQL sanitization on the user-supplied input.

“This function, along with the tutor_quiz_builder_get_answers_by_question() function, were intended to be for instructor and administrator use only,” explained the researchers. “Unfortunately, however, since they were AJAX actions with no nonce protection or capability checks in place, any authenticated user, including students, had the ability to execute this action and exploit the SQL-injection vulnerability.”

The last SQL injection vulnerability also stems from the quiz-creation feature. Whenever a student takes a quiz, the plugin records the results, but also allows students to go back later and change their answers.

“While retrieving those results, the function used ‘get_results()’ to retrieve the results from the database,” according to the analysis. “Due to the fact that there was no SQL-escaping on the quiz answers as they were recorded, SQL statements could be included as a quiz response. Once the data was retrieved from the database upon accessing the attempt details page, the stored SQL statements would execute and supply the requested information from the database.”

Unprotected AJAX Endpoints

And finally, Wordfence uncovered a raft of unprotected AJAX endpoints.

These “could allow low-level users like students to perform a plethora of actions that allowed them to create new quizzes, modify course information, change grades, escalate privileges and more,” according to researchers.

The most serious of these is the aforementioned high-severity privilege-escalation bug, which has a CVSS score of 8.1.

Tutor LMS allows two roles: Student or instructor. Students can request to become a teacher, and administrators can directly create new instructors on a given site.

“Unfortunately, both of these features were insecurely implemented,” according to the firm. “Unfortunately, the approval process was vulnerable due to a lack of a capability check, and authenticated students could approve themselves as instructors.”

Additionally, administrators have the option to add new instructors outside of the standard WordPress new user functionality.

“Unfortunately, there was no capability check on this AJAX action so any authenticated user could add a new instructor account and then use that to create potentially malicious content on a site,” researchers explained.

The Perils of Plugins for WordPress

This year is shaping up to be a banner year for WordPress plugin problems, with several coming to light in the first quarter of 2021 alone.

Last week, the Plus Addons for Elementor plugin was found to have a critical security vulnerability that attackers can exploit to quickly, easily and remotely take over a website. First reported as a zero-day bug, researchers said it’s being actively attacked in the wild.

In February, an unpatched, stored cross-site scripting (XSS) security bug was found to potentially affect 50,000 Contact Form 7 Style plugin users.

And in January, researchers warned of two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.

Also that month, a plugin called PopUp Builder, used by WordPress websites for building pop-up ads for newsletter subscriptions, was found to have a vulnerability could be exploited by attackers to send out newsletters with custom content, or to delete or import newsletter subscribers.

Register for this LIVE Event: 0-Day Disclosures: Good, Bad & Ugly: On Mar. 24 at 2 p.m. ET, Threatpost tackles how vulnerability disclosures pose a risk to companies like Microsoft – currently reeling over 0-days found in Exchange Servers. Join 0-day hunters from Intel Corp. and veteran bug bounty researchers who will untangle the 0-day economy and unpack why understanding it matters to all businesses. Register NOW for this LIVE webinar on Wed., Mar. 24.

Suggested articles