The Quiz And Survey Master for WordPress is vulnerable to authorization bypass due to a missing capability check on the function associated with the qsm_remove_file_fd_question AJAX action in versions up to, and including, 8.0.8. This makes it possible for unauthenticated attackers to delete arbitrary media files.
References
Link | Resource |
---|---|
https://packetstormsecurity.com/files/171011/wpqsm808-xsrf.txt | Not Applicable VDB Entry |
https://plugins.trac.wordpress.org/changeset/2834471/quiz-master-next | Patch |
https://wordpress.org/plugins/quiz-master-next/ | Product |
https://www.wordfence.com/threat-intel/vulnerabilities/id/68110321-db1a-4634-98cd-0afd3ec933b8?source=cve | Third Party Advisory |
Configurations
History
07 Nov 2023, 04:00
Type | Values Removed | Values Added |
---|---|---|
CWE |
14 Jun 2023, 02:24
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:expresstech:quiz_and_survey_master:*:*:*:*:*:wordpress:*:* | |
First Time |
Expresstech quiz And Survey Master
Expresstech |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.1 |
References | (MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/68110321-db1a-4634-98cd-0afd3ec933b8?source=cve - Third Party Advisory | |
References | (MISC) https://packetstormsecurity.com/files/171011/wpqsm808-xsrf.txt - Not Applicable, VDB Entry | |
References | (MISC) https://wordpress.org/plugins/quiz-master-next/ - Product | |
References | (MISC) https://plugins.trac.wordpress.org/changeset/2834471/quiz-master-next - Patch |
09 Jun 2023, 06:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-06-09 06:15
Updated : 2024-02-28 20:13
NVD link : CVE-2023-0291
Mitre link : CVE-2023-0291
CVE.ORG link : CVE-2023-0291
JSON object : View
Products Affected
expresstech
- quiz_and_survey_master
CWE
No CWE.