Platform
wordpress
Component
quiz-master-next
Fixed in
9.0.2
CVE-2024-3592 is a critical SQL Injection vulnerability affecting the Quiz And Survey Master WordPress plugin. This vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious SQL queries, potentially leading to data breaches. The vulnerability impacts versions up to and including 9.0.1. A patch is available, and users are strongly advised to upgrade immediately.
The SQL Injection vulnerability in Quiz And Survey Master allows attackers to manipulate database queries. An attacker could leverage this to extract sensitive information such as user credentials, quiz answers, survey results, and other stored data. Successful exploitation could lead to complete compromise of the WordPress site's database. The impact is amplified by the plugin's common use in educational and survey-based websites, which often handle Personally Identifiable Information (PII). While the vulnerability requires contributor-level access, this is a relatively low privilege level on many WordPress installations, making it accessible to a wider range of potential attackers.
CVE-2024-3592 was publicly disclosed on June 7, 2024. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The relatively recent disclosure suggests that exploitation may be in its early stages, but the critical severity and ease of exploitation warrant immediate attention.
Exploit Status
EPSS
0.57% (69% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the Quiz And Survey Master plugin to a version that addresses the SQL Injection vulnerability. If immediate upgrading is not possible due to compatibility issues or breaking changes, implement a Web Application Firewall (WAF) rule to filter potentially malicious SQL queries targeting the 'question_id' parameter. Additionally, carefully review and sanitize all user inputs within the plugin's code, ensuring proper escaping and parameterization of SQL queries. After upgrading, confirm the fix by attempting a SQL injection attack on the vulnerable endpoint and verifying that the attack is blocked.
Update the Quiz And Survey Master plugin to the latest available version. The SQL Injection vulnerability has been fixed in versions later than 9.0.1.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-3592 is a critical SQL Injection vulnerability in the Quiz And Survey Master WordPress plugin, allowing attackers to extract data with contributor access.
You are affected if you are using Quiz And Survey Master version 9.0.1 or earlier. Immediate action is required.
Upgrade to the latest version of the Quiz And Survey Master plugin. If upgrading is not immediately possible, implement a WAF rule to filter malicious SQL queries.
There are currently no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention and mitigation.
Check the Quiz And Survey Master plugin developer's website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.