CVE-2024-8758 represents a serious vulnerability found in the Quiz and Survey Master (QSM) plugin, a popular WordPress plugin used to create quizzes and surveys, with over 50,000 installations. The flaw allows contributors to inject malicious JavaScript (JS) code into the plugin’s settings, leading to Stored Cross-Site Scripting (XSS) attacks. This can escalate into admin account takeover or the creation of persistent backdoors, enabling attackers to maintain long-term control over the WordPress site.
| CVE | CVE-2024-8758 |
| Plugin | Quiz and Survey Master (QSM) < 9.1.3 |
| Critical | High |
| All Time | 63 620 343 |
| Active installations | 50 000+ |
| Publicly Published | September 14, 2024 |
| Last Updated | September 14, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8758 https://wpscan.com/vulnerability/d74ecae2-3a1e-4fc7-9dd3-04cef631ecd9/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| September 2, 2024 | Plugin testing and vulnerability detection in the Quiz and Survey Master (QSM) have been completed |
| September 2, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| September 14, 2024 | Registered CVE-2024-8758 |
Discovery of the Vulnerability
This vulnerability was discovered during routine security testing of the QSM plugin. It was found that the plugin’s “Custom field” in the “Advanced Settings” under the “Display” options is vulnerable to Stored XSS attacks. Specifically, the field does not properly sanitize user inputs, allowing contributors or editors to inject harmful scripts.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are common in web applications and occur when user inputs are not properly sanitized, allowing attackers to inject malicious scripts. In WordPress, Stored XSS is particularly dangerous because the injected scripts are saved in the database and executed whenever someone interacts with the infected content.
In the case of CVE-2024-8758, the vulnerability allows contributors to insert JavaScript into a custom field, which is executed whenever an administrator reviews the quiz settings or logs. Once the script is executed, the attacker can hijack sessions, steal cookies, or create unauthorized admin accounts. Similar XSS vulnerabilities in WordPress plugins have led to account takeovers, data theft, and persistent backdoor creation, enabling attackers to maintain long-term access to the site.
Exploiting the XSS Vulnerability
To exploit CVE-2024-8758, an attacker with editor or contributor-level access creates a new quiz using the QSM plugin. They then inject a malicious payload such as:
POC:
1) Create a new Quiz. 2) Add first question 3) Go to options "Display" 4) Change Custom field in "Advanced settings" to "<img src=x onerror=alert(1)>" 5) Go to http://127.0.0.1/wordpress/wp-admin/admin.php?page=qsm_quiz_tools and see Log____
The risks associated with CVE-2024-8758 are significant. A successful exploit could allow attackers to hijack admin accounts, install backdoors, or manipulate site content. For high-traffic sites using QSM to manage quizzes or surveys, the damage could extend to data theft, customer information breaches, and even reputational harm.
In real-world scenarios, attackers could use this vulnerability to compromise e-commerce websites, manipulate quiz results, or distribute malware. The creation of persistent backdoors enables attackers to maintain access to the site, making it difficult for site administrators to detect and remove the threat.
Recommendations for Improved Security
To mitigate the risks of CVE-2024-8758, WordPress administrators should update the Quiz and Survey Master plugin to the latest version as soon as a patch is released. Developers must implement proper input sanitization to ensure that fields like the “Custom field” in the “Advanced Settings” cannot accept unfiltered JavaScript or HTML.
Additionally, site administrators should review user roles and permissions, limiting the ability for contributors and editors to insert unfiltered HTML or JavaScript. Installing security plugins that monitor and block XSS attacks can provide an extra layer of protection. Regular security audits and plugin updates are essential to prevent future vulnerabilities.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-8758, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
