Did you know we’re running a Bug Bounty Extravaganza again?
Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!
On February 15th, 2024, during our second Bug Bounty Extravaganza, we received a submission for an authenticated SQL Injection vulnerability in Tutor LMS, a WordPress plugin with more than 80,000+ active installations. This vulnerability can be leveraged to extract sensitive data from the database, such as password hashes.
Props to Muhammad Hassham Nagori who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $625.00 for this discovery during our Bug Bounty Program Extravaganza. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in SQL Injection protection.
We contacted Themeum on February 22, 2024, and received a response on February 23, 2024. After providing full disclosure details, the developer released a patch on March 11, 2024. We would like to commend Themeum for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of Tutor LMS, which is version 2.6.2, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Affected Plugin: Tutor LMS – eLearning and online course solution
Plugin Slug: tutor
Affected Versions: <= 2.6.1
CVE ID: CVE-2024-1751
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Muhammad Hassham Nagori
Fully Patched Version: 2.6.2
Bounty Award: $625.00
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the question_id parameter in all versions up to, and including, 2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber/student access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Technical Analysis
Tutor LMS is a WordPress plugin which includes many features, such as a course builder, quiz and assignment types, dashboard, payment and WooCommerce integration, and a lot of other add-ons.
Unfortunately, insecure implementation of the plugin’s Q&A questions query functionality allows for SQL injection. Examining the code reveals that the plugin uses the get_qa_questions()
function in the Utils
class to query Q&A questions, where the id can be specified with the ‘question_id’ parameter.
This function is called in several view files. In some cases, the ‘question_id’ GET input value is sanitized in the view file:
$question_id = Input::get( 'question_id', 0, Input::TYPE_INT );
However, there are also cases where it is not sanitized:
$question_id = Input::get( 'question_id' );
The get_qa_questions()
function contains the following code:
$question_clause = $question_id ? ' AND _question.comment_ID=' . $question_id : '';
Here we can see that no sanitization function is being used on the question id in the get_qa_questions()
function although this id is always meant to be an integer.
$query = $wpdb->prepare( "SELECT {$columns_select} FROM {$wpdb->comments} _question INNER JOIN {$wpdb->posts} _course ON _question.comment_post_ID = _course.ID INNER JOIN {$wpdb->users} _user ON _question.user_id = _user.ID LEFT JOIN {$wpdb->commentmeta} _meta ON _question.comment_ID = _meta.comment_id LEFT JOIN {$wpdb->commentmeta} _meta_archive ON _question.comment_ID = _meta_archive.comment_id WHERE _question.comment_type = 'tutor_q_and_a' AND _question.comment_parent = 0 AND _question.comment_content LIKE %s {$in_course_id_query} {$question_clause} {$meta_clause} {$qna_types_caluse} {$filter_clause} {$order_condition} {$limit_offset}", $search_term );
Typically, the prepare()
function would parameterize and escape the SQL query for safe execution in WordPress, thereby providing protection against SQL injection attacks. But, in this instance, the $question_clause
value is not used as a parameter, it is just appended to the query as a string. This means that prepare()
will not actually escape the data being passed to the SQL query, thus making it possible to break out of the current SQL query and inject new queries to extract data.
Union-Based SQL injection is not possible due to the structure of the query, which means an attacker would need to use a Time-Based blind approach to extract information from the database. This means that they would need to use SQL CASE statements along with the SLEEP()
command while observing the response time of each request to steal information from the database. This is an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities.
Wordfence Firewall
The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.
The Wordfence firewall rule detects the malicious SQL query and blocks the request.
Disclosure Timeline
February 15, 2024 – We receive the submission of the SQL Injection vulnerability in Tutor LMS via the Wordfence Bug Bounty Program.
February 22, 2024 – We validate the report and confirm the proof-of-concept exploit.
February 22, 2024 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
February 23, 2024 – The vendor confirms the inbox for handling the discussion.
February 24, 2024 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
March 11, 2024 – The fully patched version of the plugin, 2.6.2, is released.
Conclusion
In this blog post, we detailed a SQL Injection vulnerability within the Tutor LMS plugin affecting versions 2.6.1 and earlier. This vulnerability allows authenticated threat actors to inject malicious SQL queries to steal sensitive information from the database. The vulnerability has been fully addressed in version 2.6.2 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Tutor LMS.
All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are fully protected against this vulnerability.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
The post SQL Injection Vulnerability Patched in Tutor LMS WordPress Plugin appeared first on Wordfence.