WordPress Plugin Vulnerabilities

WP-Pro-Quiz <= 0.37 - Arbitrary Quiz Deletion via CSRF

Description

The plugin does not have CSRF check in place when deleting a quiz, which could allow an attacker to make a logged in admin delete arbitrary quiz on the blog

Proof of Concept

Affects Plugins

Plugin icon
wp-pro-quiz
No known fix

References

CVE
CVE-2020-36504
URL
https://medium.com/@hoanhp/0-days-story-1-wp-pro-quiz-2115dd77a6d4

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
HoanHP
Submitter
hoan
Submitter twitter
HoanHP
Verified
Yes
WPVDB ID
83679b90-faa5-454e-924c-89f388eccbd1

Timeline

Publicly Published
2020-06-22 (about 5 years ago)
Added
2020-06-22 (about 5 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2025-02-24
Title
All-In-One Cufon <= 1.3.0 - Cross-Site Request Forgery
Published
2024-04-11
Title
WP Compress – Image Optimizer [All-In-One] < 6.11.01 - Cross-Site Request Forgery
Published
2023-02-20
Title
Social Login WP <= 5.0.0.0 - CSRF
Published
2024-04-10
Title
EWWW Image Optimizer < 7.3.0 - Cross-Site Request Forgery
Published
2024-11-01
Title
Responsive Flickr Gallery <= 1.3.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting