CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2021-24221

HIGH
8.8
CVSS Severity Score
EPSS Score0.1360%
EPSS Percentile37.65th
Published2021年4月12日
Last Modified2024年11月21日

Vulnerability Description

The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the result_id GET parameter on pages with the [qsm_result] shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised access to the DBMS. If the shortcode (without the id attribute) is embed on a public page or post, then unauthenticated users could exploit the injection.

Affected Platforms (CPE)

📦
Expresstech

Quiz And Survey Master

< 7.1.12

References & Advisories

🔗 https://plugins.trac.wordpress.org/changeset/2479603/
🔗 https://wpscan.com/vulnerability/3b52b25c-82a1-41c7-83ac-92e244f7c5ab
🔗 https://plugins.trac.wordpress.org/changeset/2479603/
🔗 https://wpscan.com/vulnerability/3b52b25c-82a1-41c7-83ac-92e244f7c5ab

相關漏洞威脅

CVE-2020-3594910.0

An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It made it possible for unauthenticated a...

CVE-2020-359519.9

An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbitrary files...

CVE-2021-368987.5

Auth. SQL Injection (SQLi) vulnerability in Quiz And Survey Master plugin <= 7.3.4 on WordPress.

CVE-2019-175996.1

The quiz-master-next (aka Quiz And Survey Master) plugin before 6.3.5 for WordPress is affected by: Cross Site Scripting (XSS). Th...