Executive Summary

The Masteriyo LMS plugin for WordPress has a vulnerability called Authorization Bypass Through User-Controlled Key in versions up to 2.1.7.

This happens because the webhook endpoint does not properly verify the signature of incoming webhook requests.

Specifically, signature verification only occurs if a webhook_secret is set and the HTTP_STRIPE_SIGNATURE header is present.

Since the webhook_secret defaults to an empty string, the webhook endpoint accepts attacker-controlled JSON payloads without verification.

This allows unauthenticated attackers to send fake Stripe webhook events with arbitrary order IDs and mark orders as completed without payment.

As a result, attackers can gain unauthorized access to paid course content.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to bypass payment verification and mark any order as completed without actually paying.

Consequently, unauthorized users can gain access to paid course content without purchasing it.

This can lead to financial loss for course providers and undermine the integrity of the eLearning platform.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to mark orders as completed without payment and gain unauthorized access to paid course content by bypassing webhook signature verification.

This unauthorized access to paid content could potentially lead to violations of data protection and access control requirements found in standards like GDPR and HIPAA, which mandate proper authorization and protection of user data and access.

However, the provided information does not explicitly describe the impact on compliance with these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the Masteriyo LMS plugin processing unauthenticated webhook requests without proper signature verification. Detection would involve monitoring incoming HTTP requests to the webhook endpoint for suspicious or unauthorized Stripe webhook events.

Specifically, you can look for HTTP requests to the webhook endpoint that lack the HTTP_STRIPE_SIGNATURE header or contain unexpected order_id values in the JSON payload metadata.

Commands to detect such activity might include using network monitoring tools or web server logs to filter requests to the webhook URL and inspect headers and payloads. For example, using grep on web server logs:

• grep 'webhook' /var/log/apache2/access.log | grep -v 'HTTP_STRIPE_SIGNATURE'
• tcpdump or Wireshark filters to capture HTTP POST requests to the webhook endpoint and analyze payloads for suspicious order_id metadata.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediately update the Masteriyo LMS plugin to a version later than 2.1.7 where the webhook signature verification issue is fixed.

If an update is not immediately possible, ensure that the webhook_secret setting is configured with a strong secret value and that the webhook endpoint enforces signature verification by requiring the HTTP_STRIPE_SIGNATURE header.

Additionally, restrict access to the webhook endpoint to trusted IP addresses or networks if possible, and monitor logs for suspicious webhook activity.

Useful 0 Not Useful 0