CVE-2021-36898 - An In-Depth Analysis of the Authenticated SQL Injection Vulnerability in Quiz and Survey Master Plugin <= 7.3.4 on WordPress

The cyber threat landscape is constantly evolving, and one recently disclosed vulnerability that poses a significant risk to WordPress websites is CVE-2021-36898. This vulnerability affects the Quiz and Survey Master plugin, which is used by many website administrators to create engaging quizzes and surveys on their sites. In this article, we'll take a deep dive into this vulnerability, exploring its root cause, the surrounding context, and how it can be exploited by a malicious attacker.

The Vulnerability: Authenticated SQL Injection

CVE-2021-36898 is classified as an Authenticated SQL Injection (SQLi) vulnerability, targeting Quiz and Survey Master plugin versions 7.3.4 and below on WordPress-powered websites. This security issue allows an attacker with administrative access or author privileges to inject malicious SQL commands by manipulating plugin options. These injected commands could potentially lead to unauthorized data access, modification, or complete control of the affected website.

Original References

The vulnerability was disclosed by the researcher Pankaj Kumar (https://twitter.com/pank4jkumar), and a detailed write-up can be found here:

- WPScan Blog: https://wpscan.com/vulnerability/c6b24075-91e4-4bc2-8d42-800defa2855

Exploit Details & Code Snippet

In order to exploit this vulnerability, an attacker with administrative or author access must send a POST request to the vulnerable "quiz-master-next/options-validate.php" script with manipulated values in the "mlw_quiz_options" parameter. The code snippet below illustrates how the malicious SQL commands could be injected:

POST /wp-admin/admin-post.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

action=qmn_options_form&mlw_quiz_options={"SQL_COMMAND_TO_BE_INJECTED"}

For instance, an attacker might inject the following SQL command to update the password of a specific user:

{"-1; UPDATE wp_users SET user_pass = MD5('new_password') WHERE ID = 1; --" : ""}

In this example, the SQL command modifies the password of the user with an ID of 1 to 'new_password'. As a result, the attacker would be able to log in as the first user of the WordPress site, potentially giving them full control over the website.

To protect your website from CVE-2021-36898, administrators are advised to

1. Update the Quiz and Survey Master plugin to the latest version (7.3.5 or higher), which contains the necessary fixes for this vulnerability. Plugin updates can be found here:

  - Quiz and Survey Master Plugin Homepage: https://wordpress.org/plugins/quiz-master-next/

2. Follow the principle of least privilege and grant only necessary privileges to users, limiting potential damage in case their accounts are compromised.

3. Monitor user activity and maintain strong, unique passwords for all user accounts to decrease the likelihood of unauthorized access.

Conclusion

CVE-2021-36898 is a critical authenticated SQL Injection vulnerability in Quiz and Survey Master plugin <= 7.3.4 on WordPress that could have severe consequences if left unpatched. By understanding the risks associated with this vulnerability and taking appropriate countermeasures, administrators can protect their WordPress-powered websites and user data from potential exploitation.

Timeline

Published on: 10/28/2022 18:15:00 UTC
Last modified on: 10/31/2022 17:22:00 UTC