The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address.
Critical vulnerability in Tutor LMS Pro plugin allows for complete account takeover on WordPress sites. Attackers can bypass authentication and log in as any user, including administrators, by exploiting a flaw in the Social Login addon. This poses a significant risk of data breaches and complete site compromise.
Step 1: Obtain a Valid OAuth Token: The attacker obtains a valid OAuth token from a supported social login provider (e.g., Google, Facebook). This token is associated with the attacker's own account.
Step 2: Identify Target Email: The attacker identifies the email address of the target user on the WordPress site (e.g., through public information, social engineering, or other reconnaissance).
Step 3: Craft the Login Request: The attacker crafts a malicious login request to the Tutor LMS Pro plugin's Social Login endpoint. This request includes the attacker's valid OAuth token and the target user's email address.
Step 4: Authentication Bypass: The plugin, due to the vulnerability, fails to verify that the email associated with the OAuth token matches the target email. It proceeds to authenticate the attacker as the target user, effectively bypassing the intended authentication process.
Step 5: Account Takeover: The attacker is successfully logged in as the target user, gaining access to their account and all associated privileges, including administrator access if the target user is an administrator.
The vulnerability stems from a flawed implementation within the Social Login addon of Tutor LMS Pro. The plugin fails to properly validate the email address associated with the OAuth token against the email address provided during the login request. Specifically, the code does not verify that the email extracted from the OAuth provider's response matches the email address submitted by the user. This allows an attacker to supply their own valid OAuth token (e.g., from Google, Facebook, etc.) along with a target user's email address. The plugin then incorrectly authenticates the attacker as the target user. The root cause is a missing or inadequate email address validation check, creating an authentication bypass vulnerability.