CVE-2021-24221

Quiz And Survey Master < 7.1.12 - Authenticated SQL injection via shortcode

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the result_id GET parameter on pages with the [qsm_result] shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised access to the DBMS. If the shortcode (without the id attribute) is embed on a public page or post, then unauthenticated users could exploit the injection.

El plugin Quiz And Survey Master â€“ Best Quiz, Exam and Survey Plugin for WordPress versiones anteriores a 7.1.12, no saneaba el parámetro GET result_id en las páginas con el shortcode [qsm_result] sin el atributo id, concatenando en una declaración SQL y conllevando a una inyección SQL. El rol más bajo permitido para usar este shortcode en publicaciones o páginas siendo autor, tal usuario podría conseguir acceso no autorizado al DBMS. Si el código abreviado (sin el atributo id) está insertado en una página o publicación pública, los usuarios no autenticados podrían explotar la inyección

*Credits: Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-14 CVE Reserved
2021-03-26 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-12-28 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://wpscan.com/vulnerability/3b52b25c-82a1-41c7-83ac-92e244f7c5ab	2024-08-03

URL	Date	SRC
https://plugins.trac.wordpress.org/changeset/2479603	2023-11-07

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Expresstech Search vendor "Expresstech"		Quiz And Survey Master Search vendor "Expresstech" for product "Quiz And Survey Master"				< 7.1.12 Search vendor "Expresstech" for product "Quiz And Survey Master" and version " < 7.1.12"		wordpress		Affected