Fortinet Discovers WordPress Quiz And Survey Master Plugin Cross-Site Scripting Vulnerability
Fortinet's FortiGuard Labs has discovered a cross-site scripting (XSS) vulnerability in WordPress Quiz And Survey Master Plugin.
Wordpress Quiz plugin - Quiz and Survey Master is a popular plugin with over 30,000+ active installations. This plugin offers several customization and premium addons.
A stored cross-site scripting vulnerability exists in Quiz and Survey Master plugin (version 6.4.12 & below). The vulnerability exists in quiz creation module where a user with low privileges is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of text editor and correct answers parameter.
SolutionsFortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:
Released Jul 23, 2020
Update to the newest version 7.0.0.
Fortinet reported the vulnerability to QSM Team on July 13, 2020
QSM Team confirmed the vulnerability on July 22, 2020
QSM Team fixed the vulnerability on July 22, 2020
This vulnerability was discovered by Vishnupriya Ilango of Fortinet's FortiGuard Labs.