---
If you run quizzes or surveys on your WordPress site using the popular Quiz And Survey Master plugin, you might want to pay close attention. In 2021, Security researchers uncovered a serious flaw: Multiple Insecure Direct Object Reference (IDOR) vulnerabilities—tracked as CVE-2021-36906—in Quiz And Survey Master versions up to 7.3.6.
Let's break down what happened, why it was dangerous, and what you can do—using plain English and real-world examples you’ll want to see.
What’s an IDOR, Anyway?
IDOR, short for Insecure Direct Object Reference, is a weakness that lets users access or change data just by tweaking something like a URL, parameter, or form value—often without proper permission checks. Imagine if someone could see another quiz taker’s answers or even delete them by changing just a single number in the address bar. That’s an IDOR in action.
Versions Affected: Up to 7.3.6
Official plugin page: https://wordpress.org/plugins/quiz-master-next/
The Vulnerabilities: Where Did it Go Wrong?
The QSM plugin's backend didn’t properly check if the logged-in user had rights to access or manipulate certain quiz or survey entries, answer sheets, or user-submitted data. That meant ANY logged-in user—even with minimal privileges—could:
Potentially alter or delete results
All you needed to do? Change an id value in a request to the WordPress server.
Example Attack: Reading Other People’s Quiz Answers
Say you’re logged in as a normal subscriber (not an admin).
`
https://example.com/wp-admin/admin-ajax.php?action=view_submission&id=102
`
3. If you change id=102 to id=101, you might get to see someone else’s answers—something you shouldn’t ever be able to do.
Pseudo-Code Snippet Showing the Problem
// This is a simplification of problematic logic
$current_user = wp_get_current_user();
$submission_id = $_GET['id'];
// No check if $submission_id belongs to $current_user—or any check for permissions!
$result = $wpdb->get_row( "SELECT * FROM qsm_submissions WHERE id = $submission_id" );
// Return result data to user...
The fix: Always check that the submission_id belongs to the current user _or_ that the user has proper roles/permissions (like admin).
Exploit Example: Downloading All Survey Responses
The plugin had backend AJAX endpoints intended only for admins to export CSV data. But a regular user could POST data to these endpoints and fetch others' responses. This lets attackers exfiltrate all quiz or survey data!
Proof-of-Concept cURL Exploit
curl 'https://example.com/wp-admin/admin-ajax.php'; \
-d 'action=qsm_export_responses' \
-d 'quiz_id=1' \
-b 'wordpress_logged_in_[hash]=[your-cookie]'
If not fixed, you could pull the full data set—no admin needed.
Real-World Impact
If you’re running quizzes about medical symptoms, company security training, or even just fun trivia, exposing user responses can mean:
Privacy violations: User emails, names, scores, or other PII leaked.
- Regulatory trouble: Fines or investigations if you collect any sensitive (e.g., health) information.
What Did the Developers Do?
The QSM developers quickly addressed these flaws in version 7.3.7:
- Proper authorization checks: Now, the plugin first checks—before showing results or exporting data—that the user is allowed to see or touch that info.
- Locked down endpoints: Export and view operations now need proper permissions (like being an admin).
Limit User Roles: Don’t give extra permissions to users unless needed.
3. Audit WordPress: Use tools like WPScan to spot outdated plugins and known vulnerabilities.
References and More Reading
- Plugin Vulnerabilities Report
- NVD Entry: CVE-2021-36906
- QSM Change Log
- What is an IDOR? OWASP Guide
Wrap Up
CVE-2021-36906 is another reminder: even trusted plugins have flaws that are simple for hackers (but easy for admins to miss). By updating today and keeping an eye on user permissions, you can keep your survey and quiz data safe from prying eyes.
Timeline
Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/04/2022 14:08:00 UTC