A significant sensitive information disclosure vulnerability (CVE-2022-42883) has been discovered in the Quiz And Survey Master (QSM) plugin, version 7.3.10 and below, for WordPress websites. The QSM plugin is widely used for creating and managing quizzes and surveys in WordPress, with over 30,000 active installs. This vulnerability exposes potentially valuable and sensitive user data to the public, putting website administrators and users at risk.

Details of the Vulnerability

The information disclosure vulnerability is a consequence of an insufficient check on user access permissions, allowing unauthenticated users access to sensitive data. The QSM plugin utilizes the wp_ajax_nopriv_* hook, allowing non-administrative users to access specific AJAX actions. In this case, the vulnerability leaves the plugin open to enumeration and leakage of quiz and survey results.

Here's a code snippet illustrating the issue with the QSM plugin (<= 7.3.10) and the use of the "wp_ajax_nopriv_*" hook:

add_action('wp_ajax_qsm_load_all_attempts', 'qsm_load_all_attempts');
add_action('wp_ajax_nopriv_qsm_load_all_attempts', 'qsm_load_all_attempts');

function qsm_load_all_attempts() {
    global $wpdb;

    // Loads and fetches data
}

The *wp_ajax_nopriv_qsm_load_all_attempts* line registers the *qsm_load_all_attempts()* function, which is responsible for loading and fetching quiz and survey attempts data. Since the function is registered with the *wp_ajax_nopriv_* hook, it is accessible by any user, authenticated or not. This code issue is what leads to the sensitive data disclosure.

Retrieve the quiz or survey ID from the WordPress page

<!-- Example of quiz/survey HTML element with the attribute "data-quiz" -->
<div id="quiz" data-quiz="123"></div>

Using the retrieved ID, send a POST request to wp-admin/admin-ajax.php with the following parameters

action: qsm_load_all_attempts
quizID: 123

3. The response will contain sensitive information about all quiz attempts, including IP addresses, names, email addresses, and individual answers.

Original References and Credits

We would like to extend our gratitude to the following for discovering this vulnerability and providing a prompt response:

- WPScan Vulnerability Database - Quiz And Survey Master Sensitive Information Disclosure
- Changelog for Quiz and Survey Master - QSM 7.3.11

_Remember to always keep your plugins and WordPress installation updated for maximum security and performance._

Timeline

Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/22/2022 20:39:00 UTC