CVE-2021-36865: Insecure Direct Object References (IDOR) Vulnerability in ExpressTech Quiz and Survey Master Plugin & Fix for WordPress Users

CVE-2021-36865 is a critical Insecure Direct Object References (IDOR) vulnerability identified in the popular WordPress plugin - ExpressTech Quiz and Survey Master (QSM) version 7.3.4 and below. This vulnerability allows attackers to maliciously modify quiz content, compromising the integrity of quizzes hosted on vulnerable WordPress websites.

In this post, we'll provide an in-depth analysis of the CVE-2021-36865 vulnerability, explore a sample of the exploitable code, discuss potential attack scenarios, and provide guidance on how to fix affected installations.

References

- ExpressTech QSM Plugin Repository
- CVE Details

Exploit Details

An Insecure Direct Object Reference (IDOR) vulnerability exists in the QSM plugin for WordPress, allowing an attacker to change the contents of a quiz on the platform. The issue exists in how the plugin verifies users' permissions, as it does not properly check if a user trying to access the quiz object has authorized rights to make changes.

Here's a code snippet demonstrating the vulnerability

function qsm_update_quiz() {
  if ( isset( $_POST['quiz_id'] ) ) {
    $quiz_id = intval( $_POST['quiz_id'] );
  }
  ...
  if ( isset( $_POST['quiz_name'] ) && '' !== $_POST['quiz_name'] ) {
    $wpdb->update( $wpdb->prefix . 'mlw_quizzes', array( 'quiz_name' => $_POST['quiz_name'] ), array( 'quiz_id' => $quiz_id ) );
  }
}

As shown in the code snippet, a legitimate user can submit a POST request to change the 'quiz_name' property. However, the plugin fails to verify if the user is authorized to make changes to the current quiz, which results in unauthorized users being able to modify the quiz content.

This vulnerability can lead to several negative consequences, including the following

1. Compromise of quiz content: Attackers can manipulate the content of quizzes, effectively rendering them useless or misleading. This could hurt the credibility of the affected WordPress websites and lead to a loss of trust among users.

2. Unauthorized data access: Attackers who exploit the vulnerability could gain unauthorized access to sensitive quiz data, including respondent data and quiz results.

3. Phishing attacks: Malicious actors could exploit the vulnerability to conduct targeted phishing attacks, by redirecting users to malicious websites or tricking them into disclosing sensitive information.

Fixing the Vulnerability

To fix the CVE-2021-36865 vulnerability, users should immediately update their ExpressTech QSM plugin to the latest version. The vulnerability was fixed in version 7.3.5 of the plugin, which properly validates user permissions before allowing updates to quizzes.

Search for 'Quiz and Survey Master' in the installed plugin list.

4. Check the current version installed. If the version is 7.3.4 or below, click 'Update Now' to update the plugin to the latest version available.

Conclusion

CVE-2021-36865 is a significant security vulnerability that affects the popular WordPress plugin - ExpressTech Quiz and Survey Master. This IDOR vulnerability allows attackers to maliciously modify quiz content on vulnerable WordPress websites. To remediate this issue, users are advised to update their QSM plugin to version 7.3.5 or above, which resolves the vulnerability by properly validating user permissions.

Timeline

Published on: 09/30/2022 19:15:00 UTC
Last modified on: 10/04/2022 18:28:00 UTC