Security researchers have discovered a major vulnerability in the popular WordPress plugin ExpressTech Quiz and Survey Master (QSM) <= 7.3.4, which has been assigned the Common Vulnerabilities and Exposures (CVE) Identifier CVE-2021-36863. This vulnerability is categorized as a stored Cross-Site Scripting (XSS) flaw that can allow an attacker to perform various malicious actions on vulnerable websites using this plugin. This post aims to provide an in-depth analysis of the vulnerability, how it can be exploited, and provide original references for further study. As a WordPress site owner or plugin user, being aware of this issue is crucial for ensuring the security of your website.

The Vulnerability: CVE-2021-36863

The CVE-2021-36863 vulnerability exists in the ExpressTech Quiz and Survey Master WordPress plugin, with versions up to and including 7.3.4 being affected. The vulnerability is classified as a stored Cross-Site Scripting (XSS) flaw that allows an attacker to execute arbitrary scripts in the context of an authenticated user. The attack can be carried out by auth. (contributor+) WordPress user.

When this vulnerability is exploited, an attacker can perform actions like stealing sensitive user data, defacing websites, or even taking control of the vulnerable WordPress site.

Exploit Details

To exploit this vulnerability, an attacker must first be authenticated on the WordPress site as a contributor or a higher-level user. Next, the attacker crafts a malicious payload, which is then inserted into the QSM plugin's "quiz_name" or "quiz_description" fields during the quiz creation process.

Here is an example of a payload that can exploit the vulnerability and display a JavaScript alert


Once the malicious payload is saved, any user visiting either the "quizzes list" or "quiz edit" pages will have the script executed in their browser. This can lead to the attacker gaining unauthorized access and control of the user's account or other harmful consequences.

It is worth noting that the vulnerability allows an attacker to store the malicious script payload in the WordPress site's database and execute it when specific conditions are met. In other words, the payload remains dormant until it gets triggered by a user action, making the attack hard to detect and mitigate.

Original References

The vulnerability was discovered and responsibly disclosed by researchers at WPScan, an organization specializing in WordPress security. They have published a detailed blog post and vulnerability database entry with additional information about this issue.

For more details on the vulnerability and the research process behind it, you can read the original blog post by WPScan here:

The vulnerability database entry can be found at:

Conclusion and Mitigation

If you are using the ExpressTech Quiz and Survey Master plugin on your WordPress site, it is critical to update the plugin immediately to a version higher than 7.3.4 to protect yourself from this vulnerability. The developers of the QSM plugin have already released a patch to fix this issue in version 7.3.5 and onwards. Make sure to test the update and apply it on your live environment to ensure the security of your website and user data.

As a best practice, always keep your WordPress core, themes, and plugins up-to-date as well as implement robust security measures to defend your site against potential vulnerabilities and attacks.


Published on: 10/28/2022 16:15:00 UTC
Last modified on: 10/28/2022 18:45:00 UTC