Improper Authentication in checkout leads privilege escalation of unauthenticated to create account with default role in Learnpress plugin Latest Version (4.2.6.5)

Description :

Improper Authentication in the checkout Ajax function leads to privilege escalation. This allows an unauthenticated attacker to create an account with the same level of privileges as the default_role in the wp_option table. Notably, these are the privileges that are manually selected by the admin.

This vulnerability is particularly dangerous because it bypasses the normal security measures in place. Even if the users_can_register is set to 0, indicating that new users should not be allowed to register, the attacker is still able to create accounts. This means that an attacker can gain unauthorized access to the system, potentially compromising the security and functionality of the site.

The issue lies in the POST method to the wp-admin/admin_ajax.php endpoint, where the attacker can send a malicious payload to create a new account.

Taint Analysis :

Untitled

As we can access `checkout()` function from admin-ajax.php as unauthenticated user , let’s analyze it to find out where is the sink

Untitled

STEPS TO REPRODUCE :

1) Install Learnpress plugin

2) Add Sample Course Data

3) Visit Frontend as unauthenticated , and click on All Courses Section , then click readmore on a course

Untitled

Description :

Taint Analysis :

As we can access checkout() function from admin-ajax.php as unauthenticated user , let’s analyze it to find out where is the sink

STEPS TO REPRODUCE :

1) Install Learnpress plugin

2) Add Sample Course Data

3) Visit Frontend as unauthenticated , and click on All Courses Section , then click readmore on a course

As we can access `checkout()` function from admin-ajax.php as unauthenticated user , let’s analyze it to find out where is the sink