CVE-2023-0291: The Quiz And Survey Master for WordPress is vulnerable to authorization bypass due to a missing capability check on the function associated with...

7.2 CVSS

Description

The Quiz And Survey Master for WordPress is vulnerable to authorization bypass due to a missing capability check on the function associated with the qsm_remove_file_fd_question AJAX action in versions up to, and including, 8.0.8. This makes it possible for unauthenticated attackers to delete arbitrary media files.

Classification

CVE ID: CVE-2023-0291

CVSS Base Severity: HIGH

CVSS Base Score: 7.2

Affected Products

Vendor: expresstech

Product: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress

Exploit Prediction Scoring System (EPSS)

EPSS Score: 1.25% (probability of being exploited)

EPSS Percentile: 85.46% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/68110321-db1a-4634-98cd-0afd3ec933b8?source=cve
https://wordpress.org/plugins/quiz-master-next/
https://packetstormsecurity.com/files/171011/wpqsm808-xsrf.txt
https://plugins.trac.wordpress.org/changeset/2834471/quiz-master-next

Timeline

2024-12-29 00:30:24 UTC
CVE

The Quiz And Survey Master for WordPress is vulnerable to authorization bypass due to a missing capability check on the function associated with...