[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"all-banners":3,"SkipToContent_34xgpJIRRkpiT6ls6jE4NHf7VpvQCQBEwi69exi4oT0":4,"FooterNav_JsYsxvLufb1W12aeknKZ89on0MD0bNDTiB5EYxyxmU":11,"FooterSocial_u16tCafBUeGMoDrdLfTINytP2JB5msc6iB3VDUutAoU":17,"vulnerability-10106":24},[],["Island",5],{"key":6,"params":7,"result":9},"SkipToContent_34xgpJIRRkpiT6ls6jE4NHf7VpvQCQBEwi69exi4oT0",{"props":8},"{}",{"head":10},{},["Island",12],{"key":13,"params":14,"result":15},"FooterNav_JsYsxvLufb1W12aeknKZ89on0MD0bNDTiB5EYxyxmU",{"props":8},{"head":16},{},["Island",18],{"key":19,"params":20,"result":22},"FooterSocial_u16tCafBUeGMoDrdLfTINytP2JB5msc6iB3VDUutAoU",{"props":21},"{\"text-color\":\"gray\"}",{"head":23},{},{"id":25,"detectable_with":26,"vuln_details":33,"vuln_id":49,"name":50,"published":51,"updated":34},10106,{"tool":27,"engine":30},{"id":28,"name":29},1,"Network Scanner",{"id":31,"name":32},3,"OpenVAS",{"id":25,"codename":34,"description":34,"severity":35,"risk_description":36,"public_description":37,"public_recommendation":38,"recommendation":34,"references":39,"cvssv3":41,"epss_score":42,"epss_percentile":43,"cve":44,"in_cisa_catalog":47,"date":48,"software_type":34,"vendor":34,"product":34,"ptt_exploit_capabilities":34},null,"critical","If a quiz contained a file upload which was configured to only accept .txt files, an executable PHP file could be uploaded by setting the Content-Type field to text/plain to bypass the plugins weak checks. This meant that unauthenticated users could upload arbitrary files, including PHP files, to a site and achieve remote code execution when there was a quiz enabled on the site that allowed file uploads as a response. Additionally Quiz and Survey Master provides file deletion functionality to remove any files that were uploaded during the quiz. The qsm_remove_file_fd_question function is registered with a regular AJAX action and a nopriv AJAX action. This meant that the function could be triggered by unauthenticated users, which is to be expected due to the quizzes not requiring authentication. Unfortunately, there were no checks when verifying that the file_url supplied for file deletion was from a quiz or survey upload, so any file could be supplied and subsequently removed. This made it possible for attackers to delete important files like a sites wp-config.php file. Successful exploitation would lead to complete site takeover and hosting account compromise amongst many other scenarios. Deleting the wp-config.php file would disable a sites database connection and allow an attacker to re-complete the installation procedures to connect their own database to a sites file system and regenerate a wp-config.php file. At that point they could use this access to infect other sites on the sites hosting account, or continue to use the site to infect site visitors.","The WordPress plugin Quiz And Survey Master is prone to multiple vulnerabilities.","Update to version 7.0.1 or later.",[40],"https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/",9.9,0.58224,0.98181,[45,46],"CVE-2020-35949","CVE-2020-35951",false,"2021-01-01T00:00:00Z","NETSCAN-OPENVAS-1.3.6.1.4.1.25623.1.0.112813","WordPress Quiz And Survey Master Plugin \u003C 7.0.1 Multiple Vulnerabilities","2020-08-20T00:00:00Z"]