CVE-2021-36864 - Reflected XSS in Quiz And Survey Master WordPress Plugin (<= 7.3.4) – Explained with Example

In the world of WordPress plugins, security bugs can spell trouble fast. One such issue is CVE-2021-36864, which is an authenticated reflected Cross-Site Scripting (XSS) vulnerability found in the popular Quiz And Survey Master plugin by ExpressTech for WordPress, versions up to and including 7.3.4.

If you run quizzes or surveys using this plugin and let editors or above access the backend, you need to understand this vulnerability, how it works, and fix it right away! Let's break it down with code examples, easy language, and direct links to the official advisories.

What is Reflected XSS?

Reflected XSS happens when user-supplied data is immediately used by a web application, like in a URL parameter, and is then reflected back and executed as code in the victim’s browser. Attackers can steal cookies, keys, or perform actions in the context of the victim user—think “hack this admin,” if the right targets are found.

Where is the Bug in Quiz And Survey Master?

The ExpressTech Quiz And Survey Master plugin, a common WordPress extension for quizzes and surveys, doesn’t sanitize certain input parameters (*for instance, the listpage* parameter in its admin interfaces). Any user with at least Editor role (usually someone who can edit posts and pages) could exploit this.

Whenever an editor+ user is tricked by a malicious link, the injected JavaScript could run in their browser, letting the attacker act as that user.

Here’s what a classic vulnerable snippet might look like (simplified and representative)

// Part of admin page code in the plugin
$listpage = isset($_GET['listpage']) ? $_GET['listpage'] : '';
echo '<input type="hidden" name="listpage" value="' . $listpage . '">';

This code takes listpage right from the URL, and echoes it directly into an HTML page without escaping it.

Let’s say you send this crafted URL to a WordPress editor

https://example.com/wp-admin/admin.php?page=qsm_quiz_list&listpage="onmouseover="alert(1)

When the editor visits this link, the output in the HTML will look like

<input type="hidden" name="listpage" value=""onmouseover="alert(1)">

If the editor hovers over (or even just loads) the area, the injected JavaScript alert(1) is executed.

Who is at Risk?

- Authenticated Editors and higher: Only users with editor role or above can access the vulnerable admin page.
- Shared admin environments: If you work with multiple admins/editors, any one of them could be phished into running malicious code.

How to Patch It

Upgrade Immediately!  
The Quiz And Survey Master plugin released a fix in version 7.3.5 and later. Always grab the newest version:

- Download the latest version here

For Developers:

If you're coding plugins, always escape output. The WordPress function esc_attr() helps

echo '<input type="hidden" name="listpage" value="' . esc_attr($listpage) . '">';

References

- WordFence Security Advisory — CVE-2021-36864  
- NIST National Vulnerability Database - CVE-2021-36864  
- WPScan Vulnerability Entry

Bottom Line

If you use the Quiz And Survey Master plugin on WordPress (v7.3.4 or earlier), update right away! This reflected XSS bug can let attackers target your editors or admins and potentially take over their accounts or steal important info. Always keep plugin versions up to date and escape all output in your custom code.

Timeline

Published on: 10/28/2022 18:15:00 UTC
Last modified on: 10/31/2022 17:20:00 UTC