CVE-2022-40698: Understanding the Cross-Site Scripting (XSS) Vulnerability in Quiz And Survey Master Plugin <= 7.3.10 on WordPress – Exploit Details, Code Snippet, and Original References

In this long-read post, we will dive deep into the recently discovered Cross-Site Scripting (XSS) vulnerability in the Quiz and Survey Master plugin on WordPress, affecting versions up to 7.3.10. This vulnerability, tracked as CVE-2022-40698, poses a significant risk to WordPress sites that utilize the affected plugin version. We will provide an overview of the vulnerability, a detailed code snippet demonstrating the issue, links to original references, and insights on how attackers can exploit this vulnerability.

Background

Quiz and Survey Master (QSM) is a popular plugin for creating engaging quizzes and surveys on WordPress websites. However, a critical XSS vulnerability in versions <= 7.3.10 of the plugin has been recently uncovered. The issue allows attackers to inject malicious scripts into the website, thus allowing them to perform various malicious activities, such as stealing sensitive information or redirecting users to malicious websites.

Exploit Details

The vulnerability occurs in the "results_page" function within the "Results" menu of the QSM plugin. When loading the results page, the plugin does not properly sanitize user input, which allows an attacker to inject malicious JavaScript code into the page. By manipulating query parameters, an attacker can trick the application into executing the injected code, causing a reflected XSS attack.

Here is an example of a malicious URL exploiting the vulnerability

https://example.com/wp-admin/admin.php?page=qsm_quiz_result_details&quiz_id=12345&result_id=<script>alert('XSS');</script>;

In this example, the attacker has injected a simple JavaScript alert that will popup if the exploit is successful. When executed, a vulnerable QSM plugin will not properly sanitize the "result_id" value, allowing the injected code to execute on the page.

Code Snippet

To demonstrate the issue in more detail, let's take a look at the relevant code snippet from the QSM plugin:

// quiz-and-survey-master/controllers/results.php
public function results_page() {

    if ( isset( $_GET['quiz_id'] ) && isset( $_GET['result_id'] ) ) {

        // Load the result details
        $result_id = $_GET['result_id'];
        $quiz_id   = $_GET['quiz_id'];

        // ... some other code ...

        if ( empty( $errors ) ) {
            // Print result details on screen
            echo $result_id . ' --- ' . $quiz_id
        }
    }
}

In this code snippet, QSM is loading the "result_id" and "quiz_id" from the _GET array (containing URL query parameters) and directly printing them on the screen. Since no proper input sanitization is performed on these values, an attacker can exploit this vulnerability by injecting JavaScript code as a parameter value.

Further details about this vulnerability can be found in the following references

1. Official CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40698
2. ExploitDB Entry: https://www.exploit-db.com/exploits/52596
3. WPvulndb Information: https://wpvulndb.com/vulnerabilities/10662

Mitigation

Users are strongly advised to update the QSM plugin to the latest version (7.3.11 or higher) immediately. The plugin developers have already fixed the vulnerability in these versions by implementing proper input sanitization.

Conclusion

CVE-2022-40698 highlights the importance of regularly updating and security-checking WordPress plugins. Attackers are continuously looking for vulnerabilities in plugins to exploit, often leading to devastating consequences for website owners. By staying informed about security issues and following best practices, you can keep your WordPress site secure from Cross-Site Scripting attacks and other potential threats.

Timeline

Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/21/2022 01:29:00 UTC