README.md
Rendering markdown...
#!/usr/bin/env bash
#
# CVE-2025-13673 Lab Setup
# One-command setup: ./setup.sh [plugin_version]
#
# Default plugin version: 3.9.3 (no esc_sql — easiest to exploit)
# Also vulnerable: 3.9.4, 3.9.5, 3.9.6 (partial esc_sql mitigation)
# Fixed: 3.9.7+
#
set -euo pipefail
PLUGIN_VERSION="${1:-3.9.3}"
WP_URL="http://localhost:8080"
ADMIN_USER="admin"
ADMIN_PASS="admin123"
TEST_USER="testuser"
TEST_PASS="test123"
echo "[*] CVE-2025-13673 Lab Setup"
echo "[*] Tutor LMS version: ${PLUGIN_VERSION}"
echo ""
# ── Start containers ──
echo "[1/5] Starting Docker containers..."
docker compose down -v 2>/dev/null || true
docker compose up -d 2>&1 | tail -3
# ── Wait for WordPress to be ready ──
echo "[2/5] Waiting for WordPress..."
for i in $(seq 1 30); do
if curl -s -o /dev/null -w "%{http_code}" "$WP_URL/" 2>/dev/null | grep -qE '200|302'; then
break
fi
sleep 2
done
# ── Install WP-CLI and configure WordPress ──
echo "[3/5] Installing WordPress + WP-CLI..."
docker exec tutor-wp bash -c '
curl -sO https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar
mv wp-cli.phar /usr/local/bin/wp
' 2>/dev/null
docker exec tutor-wp wp core install \
--url="$WP_URL" \
--title="Tutor LMS CVE Lab" \
--admin_user="$ADMIN_USER" \
--admin_password="$ADMIN_PASS" \
--admin_email="[email protected]" \
--skip-email --allow-root 2>&1 | tail -1
docker exec tutor-wp wp user create "$TEST_USER" [email protected] \
--user_pass="$TEST_PASS" --role=subscriber --allow-root 2>&1 | tail -1
docker exec tutor-wp wp option update users_can_register 1 --allow-root 2>/dev/null
# ── Install vulnerable Tutor LMS ──
echo "[4/5] Installing Tutor LMS ${PLUGIN_VERSION}..."
docker exec tutor-wp wp plugin install \
"https://downloads.wordpress.org/plugin/tutor.${PLUGIN_VERSION}.zip" \
--activate --allow-root 2>&1 | tail -1
# ── Enable monetization + coupons + create test course ──
echo "[5/5] Configuring monetization, coupons, and test course..."
docker exec tutor-wp wp option update tutor_option \
'{"monetize_by":"tutor","enable_coupon":"on","is_coupon_applicable":"1"}' \
--format=json --allow-root 2>/dev/null
docker exec tutor-wp bash -c '
wp post create --post_type=courses --post_title="Test Course" \
--post_status=publish --post_content="Lab course" --allow-root 2>&1 | tail -1
POST_ID=$(wp post list --post_type=courses --field=ID --allow-root 2>/dev/null | head -1)
wp post meta update "$POST_ID" _tutor_course_price_type paid --allow-root 2>/dev/null
wp post meta update "$POST_ID" tutor_course_price 99 --allow-root 2>/dev/null
'
# ── Done ──
VERSION=$(docker exec tutor-wp wp plugin list --fields=name,version --format=csv --allow-root 2>/dev/null | grep tutor | cut -d, -f2)
echo ""
echo "============================================"
echo " Lab ready!"
echo " URL: $WP_URL"
echo " Plugin: Tutor LMS v${VERSION}"
echo " Admin: $ADMIN_USER / $ADMIN_PASS"
echo " Subscriber: $TEST_USER / $TEST_PASS"
echo ""
echo " Test (unauthenticated):"
echo " python3 exploit.py $WP_URL"
echo ""
echo " Test (authenticated, fast UNION):"
echo " python3 exploit.py $WP_URL -u $TEST_USER -p $TEST_PASS --all"
echo "============================================"