CVE-2023-0291

The Quiz And Survey Master for WordPress is vulnerable to authorization bypass due to a missing capability check on the function associated with the qsm_remove_file_fd_question AJAX action in versions up to, and including, 8.0.8. This makes it possible for unauthenticated attackers to delete arbitrary media files.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
WordfenceCNA
7.2 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
VendorProductVersion
expresstechquiz_and_survey_master
𝑥
≤ 8.0.8
𝑥
= Vulnerable software versions
References
https://packetstormsecurity.com/files/171011/wpqsm808-xsrf.txt
https://plugins.trac.wordpress.org/changeset/2834471/quiz-master-next
https://wordpress.org/plugins/quiz-master-next/
https://www.wordfence.com/threat-intel/vulnerabilities/id/68110321-db1a-4634-98cd-0afd3ec933b8?source=cve
https://packetstormsecurity.com/files/171011/wpqsm808-xsrf.txt
https://plugins.trac.wordpress.org/changeset/2834471/quiz-master-next
https://wordpress.org/plugins/quiz-master-next/
https://www.wordfence.com/threat-intel/vulnerabilities/id/68110321-db1a-4634-98cd-0afd3ec933b8?source=cve