A plugin that is designed to add quizzes and surveys to WordPress websites has patched two critical vulnerabilities. The flaws can be exploited by remote, unauthenticated attackers to launch varying attacks – including fully taking over vulnerable websites.
The plugin, Quiz and Survey Master, is actively installed on over 30,000 websites. The two critical flaws discovered by researchers include an arbitrary file-upload vulnerability, ranking 10 out of 10 on the CVSS scale; as well as an unauthenticated arbitrary file deletion error, ranking 9.9 out of 10. A patch is available for both issues in version 7.0.1 of the plugin, said the researchers with Wordfence who discovered the flaws, in a Thursday post.
“The unauthenticated arbitrary file-deletion vulnerability that was present in the plugin is pretty significant,” Chloe Chamberland, threat analyst with Wordfence, told Threatpost. “Any of the 30,000 sites running the plugin are subject to any file being deleted (granted they are running a vulnerable version), which includes the wp-config.php file, by unauthenticated site users.”
The two vulnerabilities stemmed from a feature in the plugin that enables site owners to implement file uploads as a response type for a quiz or survey. For instance, if a website has a job-application questionnaire, the feature gives users the option to upload a PDF resume at the end.
Researchers found that this feature was insecurely implemented: “The check to verify file type only looked at the ‘Content-Type’ field during an upload, which could be easily spoofed,” said researchers. “This meant that if a quiz contained a file upload which was configured to only accept .txt files, an executable PHP file could be uploaded by setting the ‘Content-Type’ field to ‘text/plain’ to bypass the plugin’s weak checks.”
In an example of a real-world attack, unauthenticated users could leverage this flaw by uploading malicious, arbitrary files, including PHP files. That would enable them to achieve remote code-execution, and ultimately, “this could lead to complete site takeover and hosting account-compromise, amongst many other scenarios,” said researchers.
Meanwhile, the arbitrary file-deletion error exists within the plugin’s functionality for removing any files that were uploaded during the quiz. Due to AJAX actions not being authenticated in the file-deletion functionality, an unauthenticated user could delete important files – like a website’s wp-config.php file. This is a core WordPress file that contains information about the database – including the name, username and password – that allows WordPress to communicate with the database to store and retrieve data.
“If the wp-config.php file is deleted, WordPress assumes there is a fresh installation at which point an attacker can establish a new database connection, gain access to the site and upload a webshell to ultimately achieve persistence or infect other sites in the same hosting account,” Chamberland told Threatpost.
Researchers discovered the flaws on July 17, and after various unsuccessful attempts to contact the QSM plugin team, finally reached out to the plugin’s parent company, ExpressTech on Aug. 1. A patch was released on Aug. 5 in version 7.0.1. The CVE assignments for both flaws are still pending, researchers said.
“We highly recommend updating to version 7.0.1 immediately to keep your site protected against any attacks attempting to exploit this vulnerability,” said researchers.
Threatpost has reached out to ExpressTech for further commentary.
It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.