Quiz and Survey Master (QSM) < 9.1.1 – Contributor+ Stored XSS | CVE 2024-6879 | Plugin Vulnerabilities

Description

The plugin fails to validate and escape certain Quiz fields before displaying them on a page or post where the Quiz is embedded, which could allows contributor and above roles to perform Stored Cross-Site Scripting (XSS) attacks.

Proof of Concept

1. Login with a Contributor role and go to the Quiz and Survey Master (QSM) plugin 
2. Click on the Quizzes & Surveys and create/edit a quiz 
3. Inject the following XSS payload in the "Results Page" > "redirect the user by entering the URL below" field: javascript:alert(document.domain)
4. Save the Results Page, and paste the Quizz shortcode into one of the posts/pages.
5. Whenever an unauthenticated user visits this page and submit a Quizz, the XSS will trigger

Affects Plugins

quiz-master-next

Fixed in 9.1.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Bereket Miheret

Submitter

Bereket Miheret

Submitter website

https://www.linkedin.com/in/bereketmiheret/

Verified

Yes

WPVDB ID

4da0b318-03e7-409d-9b02-f108e4232c87

Timeline

Publicly Published

2024-08-05 (about 1 year ago)

Added

2024-08-05 (about 1 year ago)

Last Updated

2024-08-05 (about 1 year ago)

Other

Published

Title

Published

2013-09-24

Title

Sharebar < 1.4.1 - Reflected Cross-Site Scripting (XSS)

Published

2024-12-30

Title

Arconix Shortcodes < 2.1.16 - Reflected Cross-Site Scripting

Published

2024-07-22

Title

Pretty Simple Popup Builder < 1.0.10 - Admin+ Stored XSS

Published

2024-09-30

Title

Online Booking & Scheduling Calendar for WordPress by vcita < 4.5 - Reflected Cross-Site Scripting

Published

2024-06-20

Title

Accordions <= 2.3.5 - Authenticated (Administrator+) Stored Cross-Site Scripting