CVE-2021-24801 in WP Survey Plus Plugininfo

Summary

by MITRE • 11/08/2021

The WP Survey Plus WordPress plugin through 1.0 does not have any authorisation and CSRF checks in place in its AJAX actions, allowing any user to call them and add/edit/delete Surveys. Furthermore, due to the lack of sanitization in the Surveys' Title, this could also lead to Stored Cross-Site Scripting issues

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 11/11/2021

The WP Survey Plus WordPress plugin version 1.0 contains critical security vulnerabilities that stem from insufficient authorization controls and cross-site request forgery protections within its application programming interface endpoints. This vulnerability affects the plugin's ajax actions which are designed to handle survey management operations including creation, modification, and deletion of survey content. The absence of proper authentication checks means that any authenticated user regardless of their role permissions can exploit these endpoints to perform administrative functions without proper authorization. This represents a fundamental flaw in the plugin's security architecture that directly violates established security principles for web application development.

The technical implementation of the vulnerability manifests through the lack of CSRF token validation in the affected AJAX endpoints, combined with missing authorization checks that should verify user privileges before executing survey management operations. Additionally, the plugin fails to properly sanitize survey title inputs, creating a stored cross-site scripting vulnerability that allows malicious actors to inject malicious scripts into survey titles. When these titles are rendered in the user interface, the stored scripts execute in the context of other users' browsers, potentially enabling session hijacking, data theft, or further exploitation. This vulnerability directly maps to CWE-352 for Cross-Site Request Forgery and CWE-79 for Cross-Site Scripting, both of which are classified as high-risk security issues in the Common Weakness Enumeration catalog.

The operational impact of this vulnerability extends beyond simple privilege escalation as it creates a persistent threat vector that can be exploited by attackers to compromise the entire survey system. Any user who can access the WordPress admin area can leverage these flaws to modify or delete surveys, potentially disrupting business operations or gaining unauthorized access to sensitive survey data. The stored XSS component amplifies the risk by allowing attackers to inject malicious payloads that can persist across user sessions, making the vulnerability particularly dangerous for environments where surveys contain confidential information. This attack pattern aligns with ATT&CK technique T1078 for Valid Accounts and T1531 for Account Access Removal, as the vulnerability enables unauthorized access and modification of system resources.

Mitigation strategies should include immediate implementation of proper authorization checks and CSRF token validation for all AJAX endpoints within the plugin. The plugin developers must implement input sanitization and output escaping for all survey title fields to prevent stored XSS attacks. Additionally, role-based access controls should be enforced to ensure that only users with appropriate permissions can execute survey management functions. Organizations should also implement network-level monitoring to detect suspicious AJAX activity patterns and consider applying temporary patches or disabling the plugin until proper security updates are implemented. The vulnerability demonstrates the critical importance of following secure coding practices and adhering to security standards such as those defined in the OWASP Top Ten and NIST guidelines for web application security.

Reservation

01/14/2021

Disclosure

11/08/2021

Moderation

accepted

CPE

ready

EPSS

0.00435

KEV

no

Activities

very low

Sector

Education

Sources

Want to know what is going to be exploited?

We predict KEV entries!