CyberSec.Space Logo
Back to CVE Browser

CVE-2021-24221

HIGH
8.8
CVSS Severity Score
EPSS Score0.1360%
EPSS Percentile37.65th
PublishedApr 12, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the result_id GET parameter on pages with the [qsm_result] shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised access to the DBMS. If the shortcode (without the id attribute) is embed on a public page or post, then unauthenticated users could exploit the injection.

Affected Platforms (CPE)

πŸ“¦
Expresstech

Quiz And Survey Master

< 7.1.12

References & Advisories

πŸ”— https://plugins.trac.wordpress.org/changeset/2479603/
πŸ”— https://wpscan.com/vulnerability/3b52b25c-82a1-41c7-83ac-92e244f7c5ab
πŸ”— https://plugins.trac.wordpress.org/changeset/2479603/
πŸ”— https://wpscan.com/vulnerability/3b52b25c-82a1-41c7-83ac-92e244f7c5ab

Related Vulnerabilities

CVE-2020-3594910.0

An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It made it possible for unauthenticated a...

CVE-2020-359519.9

An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbitrary files...

CVE-2021-368987.5

Auth. SQL Injection (SQLi) vulnerability in Quiz And Survey Master plugin <= 7.3.4 on WordPress.

CVE-2019-175996.1

The quiz-master-next (aka Quiz And Survey Master) plugin before 6.3.5 for WordPress is affected by: Cross Site Scripting (XSS). Th...