Associated Vulnerability
Description
Authenticated Privilege Escalation to Admin exploiting Uncanny Groups for LearnDash.
Readme
# CVE-2024-8349 and CVE-2024-8350
## Background information
Uncanny Groups for LearnDash (uncanny-learndash-group) is a third-party plugin for LearnDash LMS (sfwd-lms). The plugin lets Group Leaders (custom LearnDash role) manage users of their own LearnDash groups from the frontend.
Group Leaders can add existing users to their groups. Existing users are added automatically (i.e., they don’t have to accept any invites).
If the site admin has enabled a plugin feature called “Allow group leaders to edit users”, Group Leaders can also change their group members’ (Users’) names and email addresses. This feature is disabled by default.
## CVE-2024-8349 Authenticated (Group Leader+) Privilege Escalation
A Group Leader can change an Admin’s email address and thereby gain admin access if the “Allow group leaders to edit users” setting is enabled. When exploited in conjunction with CVE-2024-8350, all Group Leaders can become Admins regardless of the “Allow group leaders to edit users” setting’s status.
- CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2 High)
- Software: [Uncanny Groups for LearnDash](https://www.uncannyowl.com/downloads/uncanny-learndash-groups/) (uncanny-learndash-group)
- Affected versions: <= 6.1.0.1
- Patched version: 6.1.1 (partially patched in 6.1.0.1)
- Developer: Uncanny Owl
- Researcher: Karl Emil Nikka, [Nikka Systems](https://nikkasystems.com)
- Publicly published: 2024-09-17
- Last updated: 2024-09-17
### Vulnerability
The plugin does not check the role of existing group members (Users) when they are added to new groups. If “Allow group leaders to edit users” is enabled, a Group Leader can thereby gain admin privileges on the site by adding an existing Admin to its group. After adding an existing Admin to the group, the Group Leader just changes the Admin’s email address and resets the password.
### Patches
Uncanny Owl published an insufficient patch (6.1.0.1) 2024-08-26. The vulnerability could no longer be exploited to become Admin (except in conjunction with CVE-2024-8350), but it could still be used for any Group Leader to become Editor (or lower). “Allow group leaders to edit users” had to be enabled.
Uncanny Owl published a full patch (6.1.1) 2024-09-11.
## CVE-2024-8350 Missing Authorization to Authenticated (Group Leader+) User Group Add
A Group Leader can change User’s contact details due to a missing permission check in the REST-API. When exploited in conjunction with CVE-2024-8349, all Group Leaders can give themselves admin privileges.
- CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N (2.7 Low)
- Software: [Uncanny Groups for LearnDash](https://www.uncannyowl.com/downloads/uncanny-learndash-groups/) (uncanny-learndash-group)
- Affected versions: <= 6.1.0.1
- Patched version: 6.1.1 (partially patched in 6.1.0.1)
- Developer: Uncanny Owl
- Researcher: Karl Emil Nikka, [Nikka Systems](https://nikkasystems.com)
- Publicly published: 2024-09-17
- Last updated: 2024-09-17
### Vulnerability
The plugin has a site-wide permission setting called “Allow group leaders to edit users”. When enabled, Group Leaders can change their group members’ (Users’) names and email addresses. This feature is disabled by default.
Leaving the feature disabled does however just keep the setting from showing up on the frontend. A Group Leader can still send POST requests with the same actions. Since Group Leaders can add all users to their groups, Group Leaders can also change all Users’ names and email addresses.
```
https://example.com/wp-json/ulgm_management/v1/edit_user/?
action=edit-user&group-id={Group ID}&edit-user-id={user ID}&first_name=Lorem&last_name=Ipsum&email={attacker’s email address}
```
(The group ID and the user ID can be found as part of the page content.)
When exploited in conjunction with CVE-2024-8349, all Group Leaders can give themselves admin privileges.
### Patches
Uncanny Owl published an insufficient patch (6.1.0.1) 2024-08-26. The vulnerability was partially patched but, yet again, only on the frontend. The setting “Allow group leaders to edit users” had be enabled.
If a Group Leader had an Admin as part of its group, the Group Leader could no longer display the modal for changing the Admin’s email address. However, the REST API still let the Group Leader do it.
A Group Leader could still become Admin by exploiting CVE-2024-8350 in conjunction with CVE-2024-8349. The Group Leader first had to add an Editor to its group and take over the Editor’s account. The Group Leader (now an Editor) could then add an Admin from LearnDash’s backend and change the Admin’s email address through Uncanny Groups’ REST API.
Uncanny Owl published a full patch (6.1.1) 2024-09-11.
## Timeline
- 2024-08-12 I reported CVE-2024-8349 to Uncanny Owl.
- 2024-08-12 Uncanny Owl confirmed receiving the report.
- 2024-08-15 I reported CVE-2024-8350 to Uncanny Owl.
- 2024-08-22 Uncanny Owl confirmed receiving the report.
- 2024-08-26 Uncanny Owl released Uncanny Groups for LearnDash 6.1.0.1 without sending me a pre-release version.
- 2024-08-30 I reported the insufficient patch to Uncanny Owl.
- 2024-08-30 Wordfence assigned the vulnerabilities their CVE IDs.
- 2024-09-04 I sent a reminder to Uncanny Owl, asking them to confirm receiving the report about the insufficient patch.
- 2024-09-05 Uncanny Owl confirmed receiving the report about the insufficient patch.
- 2024-09-11 Uncanny Owl sent me a pre-release version of the next release.
- 2024-09-11 I reviewed the pre-release version and suggested some additional minor security improvements.
- 2024-09-11 Uncanny Owl sent me a second pre-release version with the suggested improvements implemented.
- 2024-09-11 I confirmed that the two vulnerabilities were fully patched in the second pre-release version.
- 2024-09-11 Uncanny Owl published Uncanny Groups for LearnDash 6.1.1.
- 2024-09-17 I published this report.
Uncanny Owl handled the vulnerability reports well and addressed the vulnerabilities within the 90-day responsible disclosure window.
## Related confidentiality issue
Site admins should be aware that a Group Leader of Group A can add a User that's part of Group B without the User's consent. This can be a confidentiality and GDPR compliance issue if e.g., Group A and Group B are two different companies. It is however not a vulnerability since it is how the plugin is intended to work.
I submitted a feature request about addressing this confidentiality issue back in 2021. Uncanny Owl will now reconsider my feature request. Affected sites can in the implement their own workarounds using the [ulgm_gdpr_is_group_leader_allowed](https://www.uncannyowl.com/knowledge-base/actions-filters-for-developers/) filter and custom frontend template overrides.
File Snapshot
[4.0K] /data/pocs/4cc6977d8ce7f740d63c64a0171bdf501f19a06e
└── [6.7K] README.md
0 directories, 1 file
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.