7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
Low
0.012 Low
EPSS
Percentile
85.4%
The WordPress plugin
# Copyright (C) 2020 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.112813");
script_version("2023-10-20T16:09:12+0000");
script_tag(name:"last_modification", value:"2023-10-20 16:09:12 +0000 (Fri, 20 Oct 2023)");
script_tag(name:"creation_date", value:"2020-08-20 11:42:00 +0000 (Thu, 20 Aug 2020)");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2021-01-12 21:08:00 +0000 (Tue, 12 Jan 2021)");
script_cve_id("CVE-2020-35949", "CVE-2020-35951");
script_tag(name:"qod_type", value:"remote_banner");
script_tag(name:"solution_type", value:"VendorFix");
script_name("WordPress Quiz And Survey Master Plugin < 7.0.1 Multiple Vulnerabilities");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2020 Greenbone Networks GmbH");
script_family("Web application abuses");
script_dependencies("gb_wordpress_plugin_http_detect.nasl");
script_mandatory_keys("wordpress/plugin/quiz-master-next/detected");
script_tag(name:"summary", value:"The WordPress plugin 'Quiz And Survey Master' is prone to multiple
vulnerabilities.");
script_tag(name:"insight", value:"If a quiz contained a file upload which was configured to only
accept .txt files, an executable PHP file could be uploaded by setting the 'Content-Type' field to
'text/plain' to bypass the plugin's weak checks. This meant that unauthenticated users could upload
arbitrary files, including PHP files, to a site and achieve remote code execution when there was a
quiz enabled on the site that allowed file uploads as a response.
Additionally Quiz and Survey Master provides file deletion functionality to remove any files that
were uploaded during the quiz. The 'qsm_remove_file_fd_question' function is registered with a
regular AJAX action and a nopriv AJAX action. This meant that the function could be triggered by
unauthenticated users, which is to be expected due to the quizzes not requiring authentication.
Unfortunately, there were no checks when verifying that the file_url supplied for file deletion was
from a quiz or survey upload, so any file could be supplied and subsequently removed. This made it
possible for attackers to delete important files like a site's wp-config.php file.");
script_tag(name:"impact", value:"Successful exploitation would lead to complete site takeover and
hosting account compromise amongst many other scenarios.
Deleting the wp-config.php file would disable a site's database connection and allow an attacker to
re-complete the installation procedures to connect their own database to a site's file system and
regenerate a wp-config.php file. At that point they could use this access to infect other sites on
the site's hosting account, or continue to use the site to infect site visitors.");
script_tag(name:"affected", value:"WordPress Quiz And Survey Master plugin before version 7.0.1.");
script_tag(name:"solution", value:"Update to version 7.0.1 or later.");
script_xref(name:"URL", value:"https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/");
exit(0);
}
CPE = "cpe:/a:expresstech:quiz_and_survey_master";
include("host_details.inc");
include("version_func.inc");
if( ! port = get_app_port( cpe: CPE ) )
exit( 0 );
if( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) )
exit( 0 );
version = infos["version"];
location = infos["location"];
if( version_is_less( version: version, test_version: "7.0.1" ) ) {
report = report_fixed_ver( installed_version: version, fixed_version: "7.0.1", install_path: location );
security_message( port: port, data: report );
exit( 0 );
}
exit( 99 );
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
Low
0.012 Low
EPSS
Percentile
85.4%