WordPress Plugin Vulnerability Report – Quiz And Survey Master – Multiple Cross-Site Request Forgery
Plugin Name: Quiz And Survey Master
Key Information:
- Software Type: Plugin
- Software Slug: quiz-master-next
- Software Status: Active
- Software Author: expresstech
- Software Downloads: 2,153,834
- Active Installs: 40,000
- Last Updated: November 8, 2023
- Patched Versions: 8.1.19
- Affected Versions: <= 8.1.18
Vulnerability Details:
- Name: Quiz And Survey Master <= 8.1.18 - Multiple Cross-Site Request Forgery
- Title: Multiple Cross-Site Request Forgery
- Type: Cross-Site Request Forgery (CSRF)
- CVSS Score: 5.4 (Medium)
- Publicly Published: November 8, 2023
- Description: The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.1.18. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to show disabled contact fields and delete quiz results via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Summary:
The Quiz And Survey Master plugin for WordPress has a vulnerability in versions up to and including 8.1.18 that allows unauthenticated attackers to perform sensitive actions via CSRF. This vulnerability has been patched in version 8.1.19.
Detailed Overview:
The Quiz And Survey Master plugin, a popular quiz and survey builder for WordPress, contains multiple cross-site request forgery (CSRF) vulnerabilities due to missing or incorrect nonce validation in versions up to and including 8.1.18. As reported by Wordfence on November 8, 2023, this flaw allows remote unauthenticated attackers to trick administrators into clicking malicious links that can enable disabled contact fields or delete quiz results. While no specific exploit has been observed, the risks include exposure of private contact information or loss of quiz data. Users are strongly advised to update to version 8.1.19, which properly validates nonces on sensitive functions to prevent CSRF attacks. There are no official workarounds available short of upgrading.
Advice for Users:
- Immediate Action: Update to version 8.1.19 or higher as soon as possible.
- Check for Signs of Vulnerability: Review quiz and contact form settings for any unauthorized changes.
- Alternate Plugins: Consider alternative quiz plugins like WP Quiz Pro or Quiz Cat if unable to update immediately.
- Stay Updated: Enable automatic updates for plugins to get security fixes in a timely manner.
Conclusion:
The quick response by the developers to patch this CSRF vulnerability demonstrates their commitment to security. Users should install version 8.1.19 or later of Quiz And Survey Master to fully protect their WordPress sites.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/quiz-master-next
Detailed Report:
Keeping your WordPress website and its plugins up-to-date is crucial for maintaining a secure online presence. Unfortunately, a serious security vulnerability was recently disclosed in the popular Quiz And Survey Master plugin that affects over 40,000 active installs. Versions up to and including 8.1.18 contain multiple cross-site request forgery (CSRF) flaws that could let remote attackers trick administrators into taking unwanted actions like revealing private contact information or deleting quiz results.
While this specific vulnerability has been patched in version 8.1.19, it serves as an important reminder of the risks posed by outdated plugins. If you use Quiz And Survey Master or any other WordPress plugin, we strongly encourage you to run the latest versions. Our team of experts can help scan your site and ensure everything is up-to-date. Don't let your website be an easy target - proper security maintenance is essential. Contact us today if you need any assistance keeping your site safe.
Quiz And Survey Master is a widely used WordPress plugin for building quizzes, surveys, and other assessments. With over 2 million downloads and 40,000 active installs, it is a popular choice for adding interactive elements to websites.
Unfortunately, researchers recently discovered multiple cross-site request forgery (CSRF) vulnerabilities affecting Quiz And Survey Master versions up to and including 8.1.18. CSRF flaws allow attackers to trick authenticated users into unknowingly performing actions by getting them to click malicious links. In the case of Quiz And Survey Master, this could enable attackers to show disabled contact form fields or delete quiz results.
The risks of these vulnerabilities being exploited include disclosure of private contact information, loss of quiz data, and general disruption of website functions. While no specific attacks have been observed yet, the vulnerabilities are considered medium severity with a CVSS score of 5.4.
To mitigate the issue, users should update to version 8.1.19 or higher, which properly validates form submissions to prevent CSRF attacks. There are no official workarounds available short of upgrading. Be sure to enable automatic updates for plugins whenever possible to receive security fixes in a timely manner.
This is far from the first vulnerability found in Quiz And Survey Master. Since July 2015, researchers have reported over 35 previous flaws ranging from SQL injection to stored cross-site scripting. The regular discovery of security issues reinforces the importance of maintaining vigilance and promptly applying updates.
Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.
Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.