In today’s digital age, the security of web plugins is more critical than ever. The popular Quiz and Survey Master (QSM) plugin, trusted by over 40,000 installations, has recently been spotlighted for a severe security flaw. This article explores the nuances of this vulnerability, its implications, and provides a roadmap towards mitigation.

CVECVE-2024-6390
PluginQuiz and Survey Master (QSM) < 9.1.0 
CriticalHigh
All Time2 476 000
Active installations100 000+
Publicly PublishedJuly 15, 2024
Last UpdatedJuly 15, 2024
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6390
https://wpscan.com/vulnerability/00586687-33c7-4d84-b606-0478b1063d24/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

June 27, 2024Plugin testing and vulnerability detection in the Quiz and Survey Master (QSM) have been completed
June 27, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
July 15, 2024Registered CVE-2024-6390

Discovery of the Vulnerability

The vulnerability, catalogued under CVE-2024-6390, was identified during routine security testing aimed at enhancing the plugin’s robustness. Researchers discovered that it was possible to execute Stored Cross-Site Scripting (XSS) attacks by manipulating quiz settings, a feature widely used by contributors to create engaging content.

Understanding of Stored XSS attack’s

Stored XSS is a dangerous type of attack where malicious scripts are injected into web pages viewed by other users. In WordPress, which powers a significant portion of the internet, the impact of such vulnerabilities can be extensive, affecting not just individual sites but also their visitors. Real-world examples include unauthorized admin account creation, data theft, and persistent phishing attacks, all stemming from seemingly benign locations like a quiz button.

Exploiting the Stored XSS Vulnerability

For CVE-2024-6390, exploitation occurs when a contributor inserts malicious JavaScript into the ‘Retake Quiz Button’ label within the QSM plugin’s settings. Once the quiz is taken and the button is hovered over, the malicious script executes. This can occur in any post or page where the quiz is embedded, affecting both unaware users and administrators who preview the content.

POC:

Create/Edit a Quizz, put the payload below in the Text > Labels > Retake Quiz Button settings: 123" onmouseover=alert(1)//

The XSS will be triggered when moving the move over the Retake button after submitting a Quizz (as any user) on page/post where the Quizz is embed or while previewing it

____

The risk associated with this vulnerability is high due to the potential for administrative account takeover. Attackers can leverage this to gain unauthorized access to the backend of WordPress sites, potentially leading to further exploitation such as website defacement, complete site takeover, and further spread of XSS scripts.

Recommendations for Improved Security

Immediate actions include updating the QSM plugin to the latest version, as developers often patch such vulnerabilities swiftly upon discovery. Website administrators should regularly audit and sanitize input fields in all plugins to prevent similar vulnerabilities. Additionally, implementing Content Security Policy (CSP) headers can help mitigate the impact of XSS attacks by restricting sources of executable scripts.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-6390, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

ARTYOM K.
CVE-2024-6390 – Quiz and Survey Master (QSM) – Stored XSS to Admin Account Creation – POC

Create your CleanTalk account



By signing up, you agree with license. Have an account? Log in.


Leave a Reply

Your email address will not be published. Required fields are marked *