Quiz and Survey Master Missing Authorization Vulnerability Allows Unauthorized Deletion of Quiz Results

A vulnerability in the Quiz and Survey Master (QSM) WordPress plugin, in versions through 10.3.1, allows authenticated users with Subscriber-level access and above to delete quiz results. This issue arises from a missing capability check in the 'qsm_dashboard_delete_result' function, which could lead to unauthorized data loss.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of quiz results, potentially leading to data loss for users and administrators managing quiz content.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'qsm_dashboard_delete_result' endpoint. This request must include a valid nonce for authentication and the ID of the quiz result to be deleted. The absence of proper authorization checks allows the deletion to occur, even though the user may not have the necessary permissions to perform this action.

Remediation

Users are advised to update the Quiz and Survey Master plugin to version 10.3.2 or later, where this vulnerability has been patched.