Quiz and Survey Master WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Quiz and Survey Master (QSM) WordPress plugin, affecting versions prior to 10.2.3. The vulnerability arises because the plugin does not implement CSRF protection when updating settings. This lack of validation could enable attackers to manipulate settings of a logged-in admin.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in quiz templates, potentially allowing for the injection of malicious content.

Reproduction

To reproduce this vulnerability, send a POST request to 'wp-admin/admin-ajax.php' without a CSRF nonce. Include the 'action' parameter set to 'qsm_insert_quiz_template', along with the 'template_name', 'template_content', 'template_id', and 'template_type' parameters. The absence of a CSRF check will allow the request to be processed as if it were made by an authenticated user.

Remediation

Users are advised to update the Quiz and Survey Master WordPress plugin to version 10.2.3 or later.