Search criteria
14 vulnerabilities found for Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress by expresstech
CVE-2023-26524 (GCVE-0-2023-26524)
Vulnerability from cvelistv5 – Published: 2023-11-12 23:55 – Updated: 2025-01-08 21:39
VLAI?
Title
WordPress Quiz And Survey Master Plugin <= 8.0.10 is vulnerable to Cross Site Request Forgery (CSRF)
Summary
Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin <= 8.0.10 versions.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ExpressTech | Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress |
Affected:
n/a , ≤ 8.0.10
(custom)
|
Credits
Rio Darmawan (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:53:52.921Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/quiz-master-next/wordpress-quiz-and-survey-master-plugin-8-0-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26524",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T17:10:02.613050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T21:39:21.359Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "quiz-master-next",
"product": "Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress",
"vendor": "ExpressTech",
"versions": [
{
"changes": [
{
"at": "8.1.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "8.0.10",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rio Darmawan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;8.0.10 versions.\u003c/span\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress plugin \u003c=\u00a08.0.10 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-12T23:55:18.599Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/quiz-master-next/wordpress-quiz-and-survey-master-plugin-8-0-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;8.1.0 or a higher version."
}
],
"value": "Update to\u00a08.1.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Quiz And Survey Master Plugin \u003c= 8.0.10 is vulnerable to Cross Site Request Forgery (CSRF)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-26524",
"datePublished": "2023-11-12T23:55:18.599Z",
"dateReserved": "2023-02-24T11:22:42.567Z",
"dateUpdated": "2025-01-08T21:39:21.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0292 (GCVE-0-2023-0292)
Vulnerability from cvelistv5 – Published: 2023-06-09 05:33 – Updated: 2024-12-20 23:35
VLAI?
Summary
The Quiz And Survey Master plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.0.8. This is due to missing nonce validation on the function associated with the qsm_remove_file_fd_question AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary media files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
5.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| expresstech | Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress |
Affected:
* , ≤ 8.0.8
(semver)
|
Credits
Julien Ahrens
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:02:44.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c75e6d27-7f6b-4bec-b653-c2024504f427?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/quiz-master-next/"
},
{
"tags": [
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/171011/wpqsm808-xsrf.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2834471/quiz-master-next"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0292",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T23:23:10.484121Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T23:35:22.249Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress",
"vendor": "expresstech",
"versions": [
{
"lessThanOrEqual": "8.0.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Julien Ahrens"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quiz And Survey Master plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.0.8. This is due to missing nonce validation on the function associated with the qsm_remove_file_fd_question AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary media files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T05:33:32.758Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c75e6d27-7f6b-4bec-b653-c2024504f427?source=cve"
},
{
"url": "https://wordpress.org/plugins/quiz-master-next/"
},
{
"url": "https://packetstormsecurity.com/files/171011/wpqsm808-xsrf.txt"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2834471/quiz-master-next"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-01-13T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-01-18T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-02-08T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-0292",
"datePublished": "2023-06-09T05:33:32.758Z",
"dateReserved": "2023-01-13T16:56:22.667Z",
"dateUpdated": "2024-12-20T23:35:22.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0291 (GCVE-0-2023-0291)
Vulnerability from cvelistv5 – Published: 2023-06-09 05:33 – Updated: 2024-12-28 00:51
VLAI?
Summary
The Quiz And Survey Master for WordPress is vulnerable to authorization bypass due to a missing capability check on the function associated with the qsm_remove_file_fd_question AJAX action in versions up to, and including, 8.0.8. This makes it possible for unauthenticated attackers to delete arbitrary media files.
Severity ?
7.2 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| expresstech | Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress |
Affected:
* , ≤ 8.0.8
(semver)
|
Credits
Julien Ahrens
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:02:44.183Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68110321-db1a-4634-98cd-0afd3ec933b8?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/quiz-master-next/"
},
{
"tags": [
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/171011/wpqsm808-xsrf.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2834471/quiz-master-next"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0291",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-28T00:40:16.398641Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-28T00:51:57.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress",
"vendor": "expresstech",
"versions": [
{
"lessThanOrEqual": "8.0.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Julien Ahrens"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quiz And Survey Master for WordPress is vulnerable to authorization bypass due to a missing capability check on the function associated with the qsm_remove_file_fd_question AJAX action in versions up to, and including, 8.0.8. This makes it possible for unauthenticated attackers to delete arbitrary media files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T05:33:19.875Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68110321-db1a-4634-98cd-0afd3ec933b8?source=cve"
},
{
"url": "https://wordpress.org/plugins/quiz-master-next/"
},
{
"url": "https://packetstormsecurity.com/files/171011/wpqsm808-xsrf.txt"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2834471/quiz-master-next"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-02-15T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-0291",
"datePublished": "2023-06-09T05:33:19.875Z",
"dateReserved": "2023-01-13T16:54:28.658Z",
"dateUpdated": "2024-12-28T00:51:57.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46862 (GCVE-0-2022-46862)
Vulnerability from cvelistv5 – Published: 2023-02-14 11:26 – Updated: 2025-01-13 15:56
VLAI?
Title
WordPress Quiz And Survey Master Plugin <= 8.0.7 is vulnerable to Cross Site Request Forgery (CSRF)
Summary
Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin <= 8.0.7 versions.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ExpressTech | Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress |
Affected:
n/a , ≤ 8.0.7
(custom)
|
Credits
Oliver K. (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:39:38.735Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/quiz-master-next/wordpress-quiz-and-survey-master-plugin-8-0-7-cross-site-request-forgery-csrf?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-46862",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T15:31:16.819022Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T15:56:51.820Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "quiz-master-next",
"product": "Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress",
"vendor": "ExpressTech",
"versions": [
{
"changes": [
{
"at": "8.0.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "8.0.7",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Oliver K. (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;8.0.7 versions.\u003c/span\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress plugin \u003c=\u00a08.0.7 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-14T11:26:14.262Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/quiz-master-next/wordpress-quiz-and-survey-master-plugin-8-0-7-cross-site-request-forgery-csrf?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;8.0.8 or a higher version."
}
],
"value": "Update to\u00a08.0.8 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Quiz And Survey Master Plugin \u003c= 8.0.7 is vulnerable to Cross Site Request Forgery (CSRF)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-46862",
"datePublished": "2023-02-14T11:26:14.262Z",
"dateReserved": "2022-12-09T10:55:47.106Z",
"dateUpdated": "2025-01-13T15:56:51.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4033 (GCVE-0-2022-4033)
Vulnerability from cvelistv5 – Published: 2022-11-29 20:25 – Updated: 2025-01-23 21:21
VLAI?
Summary
The Quiz and Survey Master plugin for WordPress is vulnerable to input validation bypass via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input validation that allows attackers to inject content other than the specified value (i.e. a number, file path, etc..). This makes it possible attackers to submit values other than the intended input type.
Severity ?
5.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| expresstech | Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress |
Affected:
* , ≤ 8.0.4
(semver)
|
Credits
Luca Greeb
Andreas Krüger
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:27:54.187Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2801761%40quiz-master-next\u0026new=2801761%40quiz-master-next\u0026sfp_email=\u0026sfph_mail="
},
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4033"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4033",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-23T21:21:01.208690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T21:21:19.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress",
"vendor": "expresstech",
"versions": [
{
"lessThanOrEqual": "8.0.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Luca Greeb"
},
{
"lang": "en",
"type": "finder",
"value": "Andreas Kr\u00fcger"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quiz and Survey Master plugin for WordPress is vulnerable to input validation bypass via the \u0027question[id]\u0027 parameter in versions up to, and including, 8.0.4 due to insufficient input validation that allows attackers to inject content other than the specified value (i.e. a number, file path, etc..). This makes it possible attackers to submit values other than the intended input type."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/A:N/I:L/C:N/S:U/UI:N/PR:N/AC:L/AV:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-20 Improper Input Validation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-29T20:26:30.565Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2801761%40quiz-master-next\u0026new=2801761%40quiz-master-next\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4033"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-11-16T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2022-4033",
"datePublished": "2022-11-29T20:25:26.881Z",
"dateReserved": "2022-11-16T18:34:37.160Z",
"dateUpdated": "2025-01-23T21:21:19.029Z",
"requesterUserId": "8d345d3f-a59e-4410-a440-fac6e918fcfc",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4032 (GCVE-0-2022-4032)
Vulnerability from cvelistv5 – Published: 2022-11-29 20:23 – Updated: 2025-01-23 21:22
VLAI?
Summary
The Quiz and Survey Master plugin for WordPress is vulnerable to iFrame Injection via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input sanitization and output escaping that allowed iframe tags to be injected. This makes it possible for unauthenticated attackers to inject iFrames in pages that will execute whenever a user accesses an injected page.
Severity ?
7.2 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| expresstech | Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress |
Affected:
* , ≤ 8.0.4
(semver)
|
Credits
Luca Greeb
Andreas Krüger
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:27:54.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2801761%40quiz-master-next\u0026new=2801761%40quiz-master-next\u0026sfp_email=\u0026sfph_mail="
},
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4032"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4032",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-23T21:21:32.803511Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T21:22:40.015Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress",
"vendor": "expresstech",
"versions": [
{
"lessThanOrEqual": "8.0.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Luca Greeb"
},
{
"lang": "en",
"type": "finder",
"value": "Andreas Kr\u00fcger"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quiz and Survey Master plugin for WordPress is vulnerable to iFrame Injection via the \u0027question[id]\u0027 parameter in versions up to, and including, 8.0.4 due to insufficient input sanitization and output escaping that allowed iframe tags to be injected. This makes it possible for unauthenticated attackers to inject iFrames in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/A:N/I:L/C:L/S:C/UI:N/PR:N/AC:L/AV:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-20 Improper Input Validation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-29T20:23:15.308Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2801761%40quiz-master-next\u0026new=2801761%40quiz-master-next\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4032"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-11-29T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2022-4032",
"datePublished": "2022-11-29T20:23:15.308Z",
"dateReserved": "2022-11-16T18:33:38.566Z",
"dateUpdated": "2025-01-23T21:22:40.015Z",
"requesterUserId": "8d345d3f-a59e-4410-a440-fac6e918fcfc",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24368 (GCVE-0-2021-24368)
Vulnerability from cvelistv5 – Published: 2021-06-20 12:31 – Updated: 2024-08-03 19:28
VLAI?
Title
Quiz And Survey Master < 7.1.18 - Reflected Cross-Site Scripting (XSS)
Summary
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This could allow for privilege escalation by inducing a logged in admin to open a malicious link
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ExpressTech | Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress |
Affected:
7.1.18 , < 7.1.18
(custom)
|
Credits
renniepak
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.844Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/7f2fda5b-45a5-4fc6-968f-90bc9674c999"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress",
"vendor": "ExpressTech",
"versions": [
{
"lessThan": "7.1.18",
"status": "affected",
"version": "7.1.18",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "renniepak"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This could allow for privilege escalation by inducing a logged in admin to open a malicious link"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-20T12:31:32",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/7f2fda5b-45a5-4fc6-968f-90bc9674c999"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Quiz And Survey Master \u003c 7.1.18 - Reflected Cross-Site Scripting (XSS)",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24368",
"STATE": "PUBLIC",
"TITLE": "Quiz And Survey Master \u003c 7.1.18 - Reflected Cross-Site Scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "7.1.18",
"version_value": "7.1.18"
}
]
}
}
]
},
"vendor_name": "ExpressTech"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "renniepak"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This could allow for privilege escalation by inducing a logged in admin to open a malicious link"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/7f2fda5b-45a5-4fc6-968f-90bc9674c999",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/7f2fda5b-45a5-4fc6-968f-90bc9674c999"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24368",
"datePublished": "2021-06-20T12:31:32",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:28:23.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26524 (GCVE-0-2023-26524)
Vulnerability from nvd – Published: 2023-11-12 23:55 – Updated: 2025-01-08 21:39
VLAI?
Title
WordPress Quiz And Survey Master Plugin <= 8.0.10 is vulnerable to Cross Site Request Forgery (CSRF)
Summary
Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin <= 8.0.10 versions.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ExpressTech | Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress |
Affected:
n/a , ≤ 8.0.10
(custom)
|
Credits
Rio Darmawan (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:53:52.921Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/quiz-master-next/wordpress-quiz-and-survey-master-plugin-8-0-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26524",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T17:10:02.613050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T21:39:21.359Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "quiz-master-next",
"product": "Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress",
"vendor": "ExpressTech",
"versions": [
{
"changes": [
{
"at": "8.1.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "8.0.10",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rio Darmawan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;8.0.10 versions.\u003c/span\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress plugin \u003c=\u00a08.0.10 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-12T23:55:18.599Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/quiz-master-next/wordpress-quiz-and-survey-master-plugin-8-0-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;8.1.0 or a higher version."
}
],
"value": "Update to\u00a08.1.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Quiz And Survey Master Plugin \u003c= 8.0.10 is vulnerable to Cross Site Request Forgery (CSRF)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-26524",
"datePublished": "2023-11-12T23:55:18.599Z",
"dateReserved": "2023-02-24T11:22:42.567Z",
"dateUpdated": "2025-01-08T21:39:21.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0292 (GCVE-0-2023-0292)
Vulnerability from nvd – Published: 2023-06-09 05:33 – Updated: 2024-12-20 23:35
VLAI?
Summary
The Quiz And Survey Master plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.0.8. This is due to missing nonce validation on the function associated with the qsm_remove_file_fd_question AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary media files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
5.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| expresstech | Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress |
Affected:
* , ≤ 8.0.8
(semver)
|
Credits
Julien Ahrens
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:02:44.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c75e6d27-7f6b-4bec-b653-c2024504f427?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/quiz-master-next/"
},
{
"tags": [
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/171011/wpqsm808-xsrf.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2834471/quiz-master-next"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0292",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T23:23:10.484121Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T23:35:22.249Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress",
"vendor": "expresstech",
"versions": [
{
"lessThanOrEqual": "8.0.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Julien Ahrens"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quiz And Survey Master plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.0.8. This is due to missing nonce validation on the function associated with the qsm_remove_file_fd_question AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary media files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T05:33:32.758Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c75e6d27-7f6b-4bec-b653-c2024504f427?source=cve"
},
{
"url": "https://wordpress.org/plugins/quiz-master-next/"
},
{
"url": "https://packetstormsecurity.com/files/171011/wpqsm808-xsrf.txt"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2834471/quiz-master-next"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-01-13T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-01-18T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-02-08T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-0292",
"datePublished": "2023-06-09T05:33:32.758Z",
"dateReserved": "2023-01-13T16:56:22.667Z",
"dateUpdated": "2024-12-20T23:35:22.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0291 (GCVE-0-2023-0291)
Vulnerability from nvd – Published: 2023-06-09 05:33 – Updated: 2024-12-28 00:51
VLAI?
Summary
The Quiz And Survey Master for WordPress is vulnerable to authorization bypass due to a missing capability check on the function associated with the qsm_remove_file_fd_question AJAX action in versions up to, and including, 8.0.8. This makes it possible for unauthenticated attackers to delete arbitrary media files.
Severity ?
7.2 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| expresstech | Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress |
Affected:
* , ≤ 8.0.8
(semver)
|
Credits
Julien Ahrens
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:02:44.183Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68110321-db1a-4634-98cd-0afd3ec933b8?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/quiz-master-next/"
},
{
"tags": [
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/171011/wpqsm808-xsrf.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2834471/quiz-master-next"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0291",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-28T00:40:16.398641Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-28T00:51:57.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress",
"vendor": "expresstech",
"versions": [
{
"lessThanOrEqual": "8.0.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Julien Ahrens"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quiz And Survey Master for WordPress is vulnerable to authorization bypass due to a missing capability check on the function associated with the qsm_remove_file_fd_question AJAX action in versions up to, and including, 8.0.8. This makes it possible for unauthenticated attackers to delete arbitrary media files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T05:33:19.875Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68110321-db1a-4634-98cd-0afd3ec933b8?source=cve"
},
{
"url": "https://wordpress.org/plugins/quiz-master-next/"
},
{
"url": "https://packetstormsecurity.com/files/171011/wpqsm808-xsrf.txt"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2834471/quiz-master-next"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-02-15T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-0291",
"datePublished": "2023-06-09T05:33:19.875Z",
"dateReserved": "2023-01-13T16:54:28.658Z",
"dateUpdated": "2024-12-28T00:51:57.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46862 (GCVE-0-2022-46862)
Vulnerability from nvd – Published: 2023-02-14 11:26 – Updated: 2025-01-13 15:56
VLAI?
Title
WordPress Quiz And Survey Master Plugin <= 8.0.7 is vulnerable to Cross Site Request Forgery (CSRF)
Summary
Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin <= 8.0.7 versions.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ExpressTech | Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress |
Affected:
n/a , ≤ 8.0.7
(custom)
|
Credits
Oliver K. (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:39:38.735Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/quiz-master-next/wordpress-quiz-and-survey-master-plugin-8-0-7-cross-site-request-forgery-csrf?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-46862",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T15:31:16.819022Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T15:56:51.820Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "quiz-master-next",
"product": "Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress",
"vendor": "ExpressTech",
"versions": [
{
"changes": [
{
"at": "8.0.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "8.0.7",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Oliver K. (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;8.0.7 versions.\u003c/span\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress plugin \u003c=\u00a08.0.7 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-14T11:26:14.262Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/quiz-master-next/wordpress-quiz-and-survey-master-plugin-8-0-7-cross-site-request-forgery-csrf?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;8.0.8 or a higher version."
}
],
"value": "Update to\u00a08.0.8 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Quiz And Survey Master Plugin \u003c= 8.0.7 is vulnerable to Cross Site Request Forgery (CSRF)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-46862",
"datePublished": "2023-02-14T11:26:14.262Z",
"dateReserved": "2022-12-09T10:55:47.106Z",
"dateUpdated": "2025-01-13T15:56:51.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4033 (GCVE-0-2022-4033)
Vulnerability from nvd – Published: 2022-11-29 20:25 – Updated: 2025-01-23 21:21
VLAI?
Summary
The Quiz and Survey Master plugin for WordPress is vulnerable to input validation bypass via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input validation that allows attackers to inject content other than the specified value (i.e. a number, file path, etc..). This makes it possible attackers to submit values other than the intended input type.
Severity ?
5.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| expresstech | Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress |
Affected:
* , ≤ 8.0.4
(semver)
|
Credits
Luca Greeb
Andreas Krüger
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:27:54.187Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2801761%40quiz-master-next\u0026new=2801761%40quiz-master-next\u0026sfp_email=\u0026sfph_mail="
},
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4033"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4033",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-23T21:21:01.208690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T21:21:19.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress",
"vendor": "expresstech",
"versions": [
{
"lessThanOrEqual": "8.0.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Luca Greeb"
},
{
"lang": "en",
"type": "finder",
"value": "Andreas Kr\u00fcger"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quiz and Survey Master plugin for WordPress is vulnerable to input validation bypass via the \u0027question[id]\u0027 parameter in versions up to, and including, 8.0.4 due to insufficient input validation that allows attackers to inject content other than the specified value (i.e. a number, file path, etc..). This makes it possible attackers to submit values other than the intended input type."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/A:N/I:L/C:N/S:U/UI:N/PR:N/AC:L/AV:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-20 Improper Input Validation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-29T20:26:30.565Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2801761%40quiz-master-next\u0026new=2801761%40quiz-master-next\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4033"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-11-16T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2022-4033",
"datePublished": "2022-11-29T20:25:26.881Z",
"dateReserved": "2022-11-16T18:34:37.160Z",
"dateUpdated": "2025-01-23T21:21:19.029Z",
"requesterUserId": "8d345d3f-a59e-4410-a440-fac6e918fcfc",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4032 (GCVE-0-2022-4032)
Vulnerability from nvd – Published: 2022-11-29 20:23 – Updated: 2025-01-23 21:22
VLAI?
Summary
The Quiz and Survey Master plugin for WordPress is vulnerable to iFrame Injection via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input sanitization and output escaping that allowed iframe tags to be injected. This makes it possible for unauthenticated attackers to inject iFrames in pages that will execute whenever a user accesses an injected page.
Severity ?
7.2 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| expresstech | Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress |
Affected:
* , ≤ 8.0.4
(semver)
|
Credits
Luca Greeb
Andreas Krüger
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:27:54.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2801761%40quiz-master-next\u0026new=2801761%40quiz-master-next\u0026sfp_email=\u0026sfph_mail="
},
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4032"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4032",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-23T21:21:32.803511Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T21:22:40.015Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress",
"vendor": "expresstech",
"versions": [
{
"lessThanOrEqual": "8.0.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Luca Greeb"
},
{
"lang": "en",
"type": "finder",
"value": "Andreas Kr\u00fcger"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quiz and Survey Master plugin for WordPress is vulnerable to iFrame Injection via the \u0027question[id]\u0027 parameter in versions up to, and including, 8.0.4 due to insufficient input sanitization and output escaping that allowed iframe tags to be injected. This makes it possible for unauthenticated attackers to inject iFrames in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/A:N/I:L/C:L/S:C/UI:N/PR:N/AC:L/AV:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-20 Improper Input Validation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-29T20:23:15.308Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2801761%40quiz-master-next\u0026new=2801761%40quiz-master-next\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4032"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-11-29T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2022-4032",
"datePublished": "2022-11-29T20:23:15.308Z",
"dateReserved": "2022-11-16T18:33:38.566Z",
"dateUpdated": "2025-01-23T21:22:40.015Z",
"requesterUserId": "8d345d3f-a59e-4410-a440-fac6e918fcfc",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24368 (GCVE-0-2021-24368)
Vulnerability from nvd – Published: 2021-06-20 12:31 – Updated: 2024-08-03 19:28
VLAI?
Title
Quiz And Survey Master < 7.1.18 - Reflected Cross-Site Scripting (XSS)
Summary
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This could allow for privilege escalation by inducing a logged in admin to open a malicious link
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ExpressTech | Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress |
Affected:
7.1.18 , < 7.1.18
(custom)
|
Credits
renniepak
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.844Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/7f2fda5b-45a5-4fc6-968f-90bc9674c999"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress",
"vendor": "ExpressTech",
"versions": [
{
"lessThan": "7.1.18",
"status": "affected",
"version": "7.1.18",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "renniepak"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This could allow for privilege escalation by inducing a logged in admin to open a malicious link"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-20T12:31:32",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/7f2fda5b-45a5-4fc6-968f-90bc9674c999"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Quiz And Survey Master \u003c 7.1.18 - Reflected Cross-Site Scripting (XSS)",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24368",
"STATE": "PUBLIC",
"TITLE": "Quiz And Survey Master \u003c 7.1.18 - Reflected Cross-Site Scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "7.1.18",
"version_value": "7.1.18"
}
]
}
}
]
},
"vendor_name": "ExpressTech"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "renniepak"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Quiz And Survey Master \u2013 Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This could allow for privilege escalation by inducing a logged in admin to open a malicious link"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/7f2fda5b-45a5-4fc6-968f-90bc9674c999",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/7f2fda5b-45a5-4fc6-968f-90bc9674c999"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24368",
"datePublished": "2021-06-20T12:31:32",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:28:23.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}