Quiz and Survey Master (QSM) is a popular WordPress plugin used by website owners and content creators to design and implement quizzes, surveys, and polls on their websites. With over 50,000 active installations, it provides a versatile platform for gathering feedback and engaging users. However, a critical vulnerability—CVE-2024-10679—has been identified in the plugin that exposes WordPress sites to a serious risk. The vulnerability allows attackers to execute a Stored Cross-Site Scripting (XSS) attack via the plugin’s settings, enabling attackers to escalate privileges and create an admin account. This vulnerability is particularly dangerous because it allows attackers to exploit low-level user roles, such as contributors, to gain full control over the WordPress site.
| CVE | CVE-2024-10679 |
| Plugin | Quiz and Survey Master (QSM) < 9.2.1 |
| Critical | High |
| All Time | 2 727 566 |
| Active installations | 50 000+ |
| Publicly Published | March 11, 2025 |
| Last Updated | March 11, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10679 https://wpscan.com/vulnerability/001391eb-f181-441d-b777-d9ce098ba143/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| October 14, 2024 | Plugin testing and vulnerability detection in the Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker have been completed |
| October 14, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 11, 2025 | Registered CVE-2024-10679 |
Discovery of the Vulnerability
The vulnerability was discovered while testing the plugin’s settings and options. Specifically, the issue arises from the “Set a logo for Facebook sharing” custom field within the “Display” options of a new quiz. This field does not properly sanitize or validate the input provided by users, allowing for the injection of malicious JavaScript. When this field is used to insert a malicious script, the script is stored in the WordPress database and can be triggered whenever the quiz is viewed, potentially leading to privilege escalation. The flaw makes it possible for users with contributor-level access to inject scripts that execute when an admin or other privileged user views the quiz.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common web vulnerabilities, especially in content management systems like WordPress. XSS allows attackers to inject malicious JavaScript code into web pages, which is then executed by other users’ browsers. In WordPress, XSS vulnerabilities are often exploited through user input fields that fail to sanitize or validate the input before it is displayed on the website. Real-world examples include incidents where malicious scripts were injected into form fields, allowing attackers to steal session cookies, hijack user accounts, or execute arbitrary code. CVE-2024-10679 is another example of this type of vulnerability, where attackers can escalate from a contributor role to an admin role by executing scripts stored within the quiz settings.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10679, an attacker with contributor+ privileges:
POC:
1) Create a new Quiz. 2) Add first question 3) Go to options "Display" 4) Change Custom field in "Set a logo for Facebook sharing" to "<img src=x onerror=alert(1)>" 5) Go to http://127.0.0.1/wordpress/wp-admin/admin.php?page=qsm_quiz_tools and see Log____
The risks associated with CVE-2024-10679 are substantial, especially for sites that rely on QSM for quizzes and surveys. In a real-world scenario, an attacker could use this vulnerability to escalate from a low-level contributor role to a full admin account. Once the attacker has admin access, they can take control of the website, install malware, modify or delete content, and steal sensitive information. For example, an attacker could use this privilege escalation to compromise the website’s database, steal user data, or even destroy the site’s content. This vulnerability is particularly dangerous for websites that store sensitive user data, such as educational platforms, survey-based websites, or any site that uses QSM to engage with users.
Recommendations for Improved Security
Survey Master plugin update to the latest patched version. Additionally, developers should ensure that all user inputs, especially those in fields like the “Set a logo for Facebook sharing” field, are properly sanitized and validated before being rendered on the page. Functions such as esc_html() and wp_kses() should be used to strip out any potentially harmful scripts. Site administrators should also restrict access to sensitive settings and only allow trusted users to modify quiz settings. Lastly, employing a Web Application Firewall (WAF) and conducting regular security audits can help detect and prevent XSS attacks before they are exploited. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10679, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.