WordPress Plugin Vulnerabilities
Quiz And Survey Master < 7.1.18 - Reflected Cross-Site Scripting (XSS)
Description
The plugin did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This could allow for privilege escalation by inducing a logged in admin to open a malicious link
Proof of Concept
https://example.com/quiz/test-quiz/?result_id=1597bc5d9f9a2c9659152522904df0c0%3C%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E Reproduction steps: 1) Create a quiz. 2) In the "results pages" tab add the %RESULT_LINK% template to display a link to your result when finishing the quiz. 3) Publish your quiz or click the preview button. 4) Take the quiz and copy your results link: format: https://[wp-host]/quiz/[quiz-name]/?result_id=[result_id] 5) Append <"><script>alert(document.domain)</script> to the result_id and reload the page. Note (WPScanTeam): As the affected function is hooked to the wp_head action, only the result_id is required to perform the attack, no need to go to the quiz page, ie https://example.com/?result_id=1597bc5d9f9a2c9659152522904df0c0%3C%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
Affects Plugins
Fixed in version 7.1.18
References
Classification
Miscellaneous
Original Researcher
renniepak
Submitter
renniepak
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-06-03 (about 1 years ago)
Added
2021-06-03 (about 1 years ago)
Last Updated
2022-01-02 (about 11 months ago)