Vulnerabilities in WordPress Quiz and Survey plugin patched

Parthiv Menon

August 13, 2020

The ‘Quiz and Survey Master’ plugin installed in over 30,000 WordPress websites has patched two critical vulnerabilities that allowed attackers to launch varying attacks on websites. Researchers discovered the flaws at Wordfence - an arbitrary file upload vulnerability ranked ten on ten on the Common Vulnerability Scoring System (CVSS scale). In contrast, the file deletion vulnerability rated 9.9 on 10. The first vulnerability arose from the fact that users could upload files as a response to a quiz or survey. The check to verify file type looked only at the ‘Content-Type’ header, which can be easily spoofed by setting a malicious file’s ‘Content-Type’ to ‘text/plain’ to bypass the plugin’s weak cross-check mechanism. Unauthenticated users could upload arbitrary files, including PHP files that would allow remote access and code execution, leading to a complete site takeover or compromising the host user’s account. The second flaw can lead to an unauthenticated user delete essential files like the wp-config.php file, leading to a compromised database. After discovering the flaw on July 17 and several failed attempts to contact the QSM plugin team, a patch for the vulnerabilities was released in version 7.0.1, both of which await the Common Vulnerabilities and Exposures tests.

Abridged fromThreatpost