Quiz And Survey Master < 8.1.19 – Multiple Cross-Site Request Forgery | Plugin Vulnerabilities

Description

The plugin is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.1.18. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to show disabled contact fields and delete quiz results via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

quiz-master-next

Fixed in 8.1.19

References

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/91c5a83a-679c-405b-973d-a2255d2bced2

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Verified

No

WPVDB ID

070b8232-4a24-40aa-835f-48b9a103fd59

Timeline

Publicly Published

2023-11-08 (about 2 years ago)

Added

2024-01-12 (about 2 years ago)

Last Updated

2024-01-12 (about 2 years ago)

Other

Published

Title

Published

2025-02-03

Title

GlobalQuran <= 1.0 - Cross-Site Request Forgery to Settings Update

Published

2023-11-16

Title

Easy Call Now by ThikShare <= 1.1.0 - Cross-Site Request Forgery via settings_page

Published

2023-09-05

Title

WP Gallery Metabox <= 1.0.0 - Settings Update via CSRF

Published

2025-09-22

Title

WP Attractive Donations System < 1.29 - Cross-Site Request Forgery

Published

2020-09-16

Title

Import / Export Customizer Settings < 1.0.4 - Cross-Site Request Forgery