WP-Pro-Quiz <= 0.37 - CSRF Leading to Arbitrary Quiz Deletion



Description
Abusing this Cross-Site Request Forgery (CSRF) issue, an unauthenticated attacker could make a logged in admin delete any quiz on vulnerable website.
Proof of Concept The PoC will be displayed once the issue has been remediated.

Affects Plugin

no known fix
- plugin closed

References

URL https://medium.com/@hoanhp/0-days-story-1-wp-pro-quiz-2115dd77a6d4

Classification

Type CSRF
CWE CWE-352

Miscellaneous

Original Researcher HoanHP
Submitter hoan
Submitter Twitter HoanHP
Views 752
Verified No
WPVDB ID 10278

Timeline

Publicly Published 2020-06-22 (17 days ago)
Added 2020-06-22 (17 days ago)
Last Updated 2020-06-23 (16 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin