A plugin that allows you to create custom quizzes, exams and surveys on your website has patched two critical vulnerabilities. The flaw can allow hackers to remotely attack various attacks on vulnerable websites, including taking full control of the website.
The plugin Quiz And Survey Master, has over 30,000 active installations. The two critical vulnerabilities found by researchers. Include an arbitrary weakness in file upload, rated 10 out of 10 on the CVSS scale. As well as an unwanted arbitrary file deletion bug, rated 9.9 out of 10.
A patch in version 7.0.1 of the plugin is available for both problems, said Wordfence researchers. Who discovered the flaws in a Thursday post.
“The unauthenticated arbitrary file-deletion vulnerability that was present in the plugin is pretty significant,” Chloe Chamberland, Wordfence threat analyst. “Any of the 30,000 sites running the plugin are subject to any file being deleted (granted they are running a vulnerable version). Which includes the wp-config.php file, by unauthenticated site users.”
The two vulnerabilities originated from a plugin feature that allows site owners to introduce uploads of files as a form of answer to a quiz or survey. For example, if a website has a job-application questionnaire, the function gives users the option of uploading a PDF resume at the end.
Researchers noticed function was insecurely implemented
“The check to verify file type only looked at the ‘Content-Type’ field during an upload. Which could be easily spoofed,” researchers said. “This meant that if a quiz contained a file upload which configured to only accept .txt files. An executable PHP file could be uploaded by setting the ‘Content-Type’ field to ‘text/plain’ to bypass the plugin’s weak checks.”
Unauthenticated users could leverage this flaw in an example of a real-world attack by uploading malicious, arbitrary files including PHP files. That would allow them to achieve remote code-execution and eventually, “this could lead to complete site acquisition and account-compromise hosting, among many other scenarios,” researchers said.
Meanwhile, within the plugin’s code, the arbitrary file-deletion error occurs to delete any files that uploaded during quiz. Because AJAX actions not authenticated in the functionality of file deletion. An unauthenticated user could delete important files – like the wp-config.php file on a website. This is a key WordPress file that contains data base information. Including name, username , and password – enabling WordPress to connect with the database to store and retrieve data.
More about the vulnerability
“If the wp-config.php file deleted, WordPress assumes there is a fresh installation. At which point an attacker can establish a new database connection, gain access to the site and upload a webshell to ultimately achieve persistence or infect other sites in the same hosting account,” Chamberland told Threatpost.
Researchers discovered the flaws on 17 July. And after various unsuccessful attempts to contact the QSM plugin team. ExpressTech finally reached the parent company of the plugin on Aug. 1. A patch in version 7.0.1 released Aug. 5. CVE assignments are still pending for both flaws, the researchers said.
“We highly recommend updating to version 7.0.1 immediately to keep your site protected against. Also, any attacks attempting to exploit this vulnerability,” said researchers.
You may also like: