$1,313 Bounty Awarded for Privilege Escalation Vulnerability Patched in Academy LMS WordPress Plugin


???? Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!


On February 14th, 2024, during our second Bug Bounty Extravaganza, we received a submission for a Privilege Escalation vulnerability in Academy LMS, a WordPress plugin with more than 1,000+ active installations. This vulnerability makes it possible for an authenticated attacker to grant themselves administrative privileges by updating user metadata.

Props to Lucio Sá who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,313.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence PremiumWordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Privilege Escalation via User Meta Updates protection.

We contacted the Academy LMS Team on February 14, 2024, and received a response on February 15, 2024. After providing full disclosure details, the developer released a patch on February 19, 2024. We would like to commend the Academy LMS Team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Academy LMS, which is version 1.9.20, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: Academy LMS – eLearning and online course solution for WordPress <= 1.9.19 – Authenticated (Subscriber+) Privilege Escalation
Affected Plugin: Academy LMS
Plugin Slug: academy
Affected Versions: <= 1.9.19
CVE ID: CVE-2024-1505
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Lucio Sá
Fully Patched Version: 1.9.20
Bounty Award: $1,313.00

The Academy LMS – eLearning and online course solution for WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.9.19. This is due to plugin allowing arbitrary user meta updates through the saved_user_info() function. This makes it possible for authenticated attackers, with minimal permissions such as students, to elevate their user role to that of an administrator.

Technical Analysis

Academy LMS is a WordPress plugin, which includes many features, such as advanced quiz and course builder, dashboard, WooCommerce integration and many more features.

Examining the code reveals that the plugin uses the saved_user_info() function in the Ajax class to update the user info. Unfortunately, this function was implemented insecurely, allowing all authenticated users to modify their capabilities, including granting themselves administrator capabilities.

public function saved_user_info() { check_ajax_referer( 'academy_nonce', 'security' ); $data = \Academy\Helper::fresh_ajax_request_data( $_POST ); $data = \Academy\Helper::sanitize_text_or_array_field( $data ); $user_id = get_current_user_id(); foreach ( $data as $key => $value ) { update_user_meta( $user_id, $key, $value ); } wp_send_json_success( $data ); wp_die(); }

The most significant problem and vulnerability is caused by the fact that there are no restrictions on the user info data, so the user’s metadata can be updated arbitrarily, and there is a text or array sanitization on the field value, so even an array value can be set, which is necessary for the capability meta option.

This made it possible for authenticated users, such as students, to supply the ‘wp_capabilities’ array parameter with any desired capabilities, such as administrator, during the user info update.

As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.

Disclosure Timeline

February 14, 2024 – We receive the submission of the Privilege Escalation vulnerability in Academy LMS via the Wordfence Bug Bounty Program.
February 14, 2024 – We validate the report and confirm the proof-of-concept exploit.
February 14, 2024 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
February 15, 2024 – The vendor confirms the inbox for handling the discussion.
February 15, 2024 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
February 19, 2024 – The fully patched version of the plugin, 1.9.20, is released.

Conclusion

In this blog post, we detailed a Privilege Escalation vulnerability within the Academy LMS plugin affecting versions 1.9.19 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to that of a site administrator which could ultimately lead to complete site compromise. The vulnerability has been fully addressed in version 1.9.20 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Academy LMS.

All Wordfence users, including those running Wordfence PremiumWordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are fully protected against this vulnerability.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post $1,313 Bounty Awarded for Privilege Escalation Vulnerability Patched in Academy LMS WordPress Plugin appeared first on Wordfence.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Tap To Call