CVE-2024-6879 in Quiz and Survey Master Plugin
Summary
by MITRE • 08/26/2024
The Quiz and Survey Master (QSM) WordPress plugin before 9.1.1 fails to validate and escape certain Quiz fields before displaying them on a page or post where the Quiz is embedded, which could allows contributor and above roles to perform Stored Cross-Site Scripting (XSS) attacks.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/12/2025
The Quiz and Survey Master plugin for WordPress represents a widely used tool for creating interactive quizzes and surveys within web applications. This particular vulnerability affects versions prior to 9.1.1 and specifically targets the plugin's handling of quiz field data. The security flaw stems from inadequate input validation and output escaping mechanisms within the plugin's codebase, creating a persistent vector for malicious actors to inject harmful scripts into quiz content. The vulnerability is particularly concerning because it affects user roles with contributor privileges and above, meaning that even users who do not have full administrative access can exploit this weakness to compromise the integrity of quiz displays.
The technical implementation of this vulnerability involves the plugin's failure to properly sanitize user-supplied data before rendering it within HTML contexts on web pages. When quiz creators input content into various fields such as question text, answer options, or quiz settings, the plugin does not adequately escape these values before displaying them to end users. This creates a classic stored cross-site scripting scenario where malicious payloads can be permanently stored within the plugin's database and subsequently executed whenever the quiz content is rendered. The flaw operates at the application layer and can be exploited through the WordPress admin interface where quiz content is managed, allowing attackers to inject javascript code that will execute in the browsers of visitors who view the affected quiz.
The operational impact of this vulnerability extends beyond simple data theft or defacement, as it can enable more sophisticated attacks such as session hijacking, credential theft, or redirection to malicious sites. An attacker with contributor privileges or higher can craft malicious quiz content that, when viewed by other users, executes arbitrary javascript code in their browsers. This could lead to unauthorized access to user accounts, data exfiltration, or the deployment of additional malware through the compromised quiz displays. The stored nature of the vulnerability means that the malicious code persists even after the initial injection, making it particularly dangerous for long-running quizzes or surveys that are frequently accessed by multiple users. The vulnerability affects not just the quiz creators but also all users who interact with the quiz content, creating a broad attack surface that can impact entire WordPress installations.
Mitigation strategies for this vulnerability should focus on immediate remediation through the plugin update to version 9.1.1 or later, which contains the necessary patches to address the input validation and output escaping deficiencies. Administrators should conduct thorough audits of existing quiz content to identify and remove any potentially malicious payloads that may have been injected prior to the patch deployment. Additional defensive measures include implementing content security policies to limit script execution, restricting user privileges to prevent unauthorized access to quiz creation features, and monitoring for suspicious activity in the plugin's data handling processes. The vulnerability aligns with CWE-79 which describes cross-site scripting flaws, and represents a clear violation of the principle of least privilege as defined in the ATT&CK framework under the technique of privilege escalation through web application vulnerabilities. Organizations should also consider implementing web application firewalls and regular security scanning to detect similar issues in other plugins or custom code implementations.