A plugin that is designed to add quizzes and surveys to WordPress websites has patched two critical vulnerabilities. The flaws can be exploited by remote, unauthenticated attackers to launch varying attacks – including fully taking over vulnerable websites. The plugin, Quiz and Survey Master, is actively installed on over 30,000 websites. The two critical flaws discovered by researchers include an arbitrary file-upload vulnerability, ranking 10 out of 10 on the CVSS scale; as well as an unauthenticated arbitrary file deletion error, ranking 9.9 out of 10. A patch is available for both issues in version 7.0.1 of the plugin, said the researchers with Wordfence who discovered the flaws, in a Thursday post. “The unauthenticated arbitrary file-deletion vulnerability that was present in the plugin is pretty significant,” Chloe Chamberland, threat analyst with Wordfence, told Threatpost. “Any of the 30,000 sites running the plugin are subject to any file being deleted (granted they are running a vulnerable version), which includes the wp-config.php file, by unauthenticated site users.” The two vulnerabilities stemmed from a feature in the plugin that enables site owners to implement file uploads as a response type for a quiz or survey. For instance, if a website has a job-application questionnaire, the feature gives users the option to upload a PDF resume at the end. Researchers found that this feature was insecurely implemented: “The check to verify file type only looked at the…
0 0 govanguard https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2020-08-14 14:26:002020-08-14 14:26:00Critical Flaws in WordPress Quiz Plugin Allow Site Takeover
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email firstname.lastname@example.org