WordPress LifterLMS 4.21.1 Insecure Direct Object Reference

#320
Topic created · 1 Posts · 2 Views
  • # Exploit Title: WordPress Plugin LifterLMS 4.21.1 - Access Other Student Grades/Answers via IDOR
    # Date: 2021-05-17
    # Exploit Author: captain\_hook
    # Vendor Homepage: https://lifterlms.com
    # Software Link: https://lifterlms.com
    # Version: 4.21.1
    # Tested on: any
    
    Description
    
    The plugin was affected by an IDOR issue, allowing students to see other student answers and grades
    
    Proof of Concept
    
    - Add 2 users with Student role for the scenario .
    - Create A course With a quiz ( I picked True or Flase question for my quiz)
    - Set Enrol on Free ( for the ease of scenario )
    - Enrol into the Course with Student B and submit your answer to the Course .
    
    The plugin will give a token like :
    https://soft-dream.myliftersite.com/quiz/%d8%ac%d9%85%d8%b9-quiz/?attempt\_key=wYK
    To Check your answer was true or false.
    
    Now Login as a Student A and Enroll in the Course. You can just use
    the URL https://soft-dream.myliftersite.com/quiz/%d8%ac%d9%85%d8%b9-quiz/?attempt\_key=wYK
    and reach the Student B answer.
    
    Fixed in version 4.21.2✓
    
    References
    
    https://make.lifterlms.com/2021/05/17/lifterlms-version-4-21-2/
    
    
Log in to reply