In today’s digital age, the security of web plugins is more critical than ever. The popular Quiz and Survey Master (QSM) plugin, trusted by over 40,000 installations, has recently been spotlighted for a severe security flaw. This article explores the nuances of this vulnerability, its implications, and provides a roadmap towards mitigation.
| CVE | CVE-2024-6390 |
| Plugin | Quiz and Survey Master (QSM) < 9.1.0 |
| Critical | High |
| All Time | 2 476 000 |
| Active installations | 100 000+ |
| Publicly Published | July 15, 2024 |
| Last Updated | July 15, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6390 https://wpscan.com/vulnerability/00586687-33c7-4d84-b606-0478b1063d24/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| June 27, 2024 | Plugin testing and vulnerability detection in the Quiz and Survey Master (QSM) have been completed |
| June 27, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| July 15, 2024 | Registered CVE-2024-6390 |
Discovery of the Vulnerability
The vulnerability, catalogued under CVE-2024-6390, was identified during routine security testing aimed at enhancing the plugin’s robustness. Researchers discovered that it was possible to execute Stored Cross-Site Scripting (XSS) attacks by manipulating quiz settings, a feature widely used by contributors to create engaging content.
Understanding of Stored XSS attack’s
Stored XSS is a dangerous type of attack where malicious scripts are injected into web pages viewed by other users. In WordPress, which powers a significant portion of the internet, the impact of such vulnerabilities can be extensive, affecting not just individual sites but also their visitors. Real-world examples include unauthorized admin account creation, data theft, and persistent phishing attacks, all stemming from seemingly benign locations like a quiz button.
Exploiting the Stored XSS Vulnerability
For CVE-2024-6390, exploitation occurs when a contributor inserts malicious JavaScript into the ‘Retake Quiz Button’ label within the QSM plugin’s settings. Once the quiz is taken and the button is hovered over, the malicious script executes. This can occur in any post or page where the quiz is embedded, affecting both unaware users and administrators who preview the content.
POC:
Create/Edit a Quizz, put the payload below in the Text > Labels > Retake Quiz Button settings: 123" onmouseover=alert(1)// The XSS will be triggered when moving the move over the Retake button after submitting a Quizz (as any user) on page/post where the Quizz is embed or while previewing it____
The risk associated with this vulnerability is high due to the potential for administrative account takeover. Attackers can leverage this to gain unauthorized access to the backend of WordPress sites, potentially leading to further exploitation such as website defacement, complete site takeover, and further spread of XSS scripts.
Recommendations for Improved Security
Immediate actions include updating the QSM plugin to the latest version, as developers often patch such vulnerabilities swiftly upon discovery. Website administrators should regularly audit and sanitize input fields in all plugins to prevent similar vulnerabilities. Additionally, implementing Content Security Policy (CSP) headers can help mitigate the impact of XSS attacks by restricting sources of executable scripts.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-6390, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
ARTYOM K.
