CVE-2024-5606

2024-07-0206:15:04

CWE-89

[email protected]

web.nvd.nist.gov

wordpress

qsm

sql injection

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

The Quiz and Survey Master (QSM) WordPress plugin before 9.0.2 is vulnerable does not validate and escape the question_id parameter in the qsm_bulk_delete_question_from_database AJAX action, leading to a SQL injection exploitable by Contributors and above role

Affected configurations

Vulners

NVD

Node

quizandsurveymasterquiz_and_survey_masterRange<9.0.2

CPENameOperatorVersion
expresstech:quiz_and_survey_masterexpresstech quiz and survey masterlt9.0.2

CPE	Name	Operator	Version
expresstech:quiz_and_survey_master	expresstech quiz and survey master	lt	9.0.2

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Quiz and Survey Master (QSM) ",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "9.0.2"
      }
    ],
    "defaultStatus": "unaffected"
  }
]