WordPress Plugin Vulnerabilities
Quiz And Survey Master < 8.0.9 - Unauthenticated Arbitrary Media File Delete
Description
The plugin does not properly check user capabilities for the qsm_remove_file_fd_question AJAX action, enabling unauthorized users to delete arbitrary media files. It also does not properly validate nonce on the qsm_remove_file_fd_question AJAX action, resulting in a Cross-Site Request Forgery vulnerability
Affects Plugins
Fixed in 8.0.9 References
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Julien Ahrens
Verified
No
WPVDB ID
Timeline
Publicly Published
2023-02-08 (about 3 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2023-06-09 (about 2 years ago)
WPScan 