The WordFence Threat Intelligence team detected two vulnerabilities in Quiz and Survey Master (QSM), a WordPress plugin that is installed on over 30,000 sites.
These flaws made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution, as well as delete arbitrary files like a site’s
wp-config.php file which could effectively take a site offline and allow an attacker to take over the vulnerable site.
How Quiz and Survey Master is used in WordPress
The Quiz and Survey Master is used in WordPress to add quizzes and surveys to sites. One of its features allows site owners to implement file uploads as a response type for a quiz or survey, which could be useful in a number of scenarios, such as a job application questionnaire with a PDF resume upload at the end.
How two file to upload vulnerabilities were found in Quiz and Survey Master (QSM)
The check however revealed that unfortunately, this file upload feature was insecurely implemented. The checks performed prior to allowing a file to upload only evaluated how the general settings were configured for the file upload question. For example, it checked what file-type was selected to be “allowed” and the file size permitted, per user-specified settings.
The check to verify file type only looked at the “Content-Type” field during an upload, which could be easily spoofed. This meant that if a quiz contained a file upload that was configured to only accept .txt files, an executable PHP file could be uploaded by setting the “Content-Type” field to ‘text/plain’ to bypass the plugin’s weak checks.
The good thing about the functionality is that it has to be enabled and configured for a quiz in order to be exploitable, meaning that most sites were unlikely to be exploited by this particular vulnerability. However, sites with contributor-level, or higher, users with access to the quiz maker tools could still be vulnerable to exploits targeting this vulnerability if an account were compromised. A compromised user account could allow an attacker to create quizzes allowing file uploads to achieve the same goal.
Vulnerabilities fully patched in Quiz and Survey Master version 7.0.1
These flaws have been fully patched in Quiz and Survey Master version 7.0.1. Users are urged to immediately update to the latest version available, which is also version 7.0.1 at the time of this publication.
It is highly recommended that as a WordPress site admin, always only provide trusted users with access levels greater than subscriber-level access and to enforce strong passwords on these roles so that attackers can’t use these accounts as a means of intrusion.
Read more about this vulnerability on the WordFence Blog
Read more of our WPChase security blogs here
Wonderful!, just before you go: Please subscribe to our website for the latest tips, ideas, and recommendations to make your WordPress site wonderful.