CVE-2023-0291 allows attackers to delete all uploaded WordPress media files

CVE-2023-0291

Patches have been issued to contain a high security vulnerability in Quiz and Survey Master, a WordPress plugin with 40,000 installations, that can be weaponized to delete the media from the WordPress instance.

Quiz and Survey Master is the easiest WordPress Quiz Plugin that can be used to create engaging content to drive traffic and increase user engagement. Everything from the viral quiz, trivia quiz, and customer satisfaction surveys to employee surveys.

“The plugin offers the ajax action “qsm_remove_file_fd_question” to unauthenticated users which accepts a “media_id” parameter pointing to a any item uploaded through WordPress’ media upload functionality. However, this “media_id” is afterward used in a forced wp_delete_attachment() call ultimately deleteing the media from the
WordPress instance,” the researcher explained in detail in its report.

“Successful exploits can allow an unauthenticated attacker to delete any (and all) uploaded WordPress media files.”

Researcher Julien Ahrens from RCE Security has been credited with discovering and reporting the vulnerability on January 13 that’s been assigned the identifier CVE-2023-0291 (CVSS score: 7.5). The issue impacts Quiz And Survey Master 8.0.8 and below.

An attacker just sends a simple POST request to the vulnerable website to delete a media file. The following Proof-of-Concept would delete the uploaded media with the ID “1”:

POST /wp-admin/admin-ajax.php HTTP/2

Host: localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

action=qsm_remove_file_fd_question&media_id=1

 

Another flaw tracked as CVE-2023-0292 (CVSS score: 6.5) affecting Quiz And Survey Master 8.0.8 and below is described as a cross-site request forgery vulnerability that allows attackers to delete uploaded media contents.

The authors of the plugins released security updates to address CVE-2023-0291 & CVE-2023-0292 in the following days or weeks, so all problems have been fixed now, and those running the latest available version are no longer vulnerable.

Users of the UpdraftPlus plugin are recommended to update to version 8.0.10 to mitigate any potential exploitation.