Plataforma
wordpress
Componente
quiz-master-next
Corregido en
9.0.2
CVE-2024-3592 is a critical SQL Injection vulnerability affecting the Quiz And Survey Master WordPress plugin. This vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious SQL queries, potentially leading to data breaches. The vulnerability impacts versions up to and including 9.0.1. A patch is available, and users are strongly advised to upgrade immediately.
The SQL Injection vulnerability in Quiz And Survey Master allows attackers to manipulate database queries. An attacker could leverage this to extract sensitive information such as user credentials, quiz answers, survey results, and other stored data. Successful exploitation could lead to complete compromise of the WordPress site's database. The impact is amplified by the plugin's common use in educational and survey-based websites, which often handle Personally Identifiable Information (PII). While the vulnerability requires contributor-level access, this is a relatively low privilege level on many WordPress installations, making it accessible to a wider range of potential attackers.
CVE-2024-3592 was publicly disclosed on June 7, 2024. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The relatively recent disclosure suggests that exploitation may be in its early stages, but the critical severity and ease of exploitation warrant immediate attention.
Websites utilizing the Quiz And Survey Master plugin, particularly those handling sensitive user data or operating in environments with limited security controls, are at significant risk. Educational institutions, online survey platforms, and businesses relying on this plugin for quizzes and exams are especially vulnerable.
• wordpress / composer / npm:
grep -r "SELECT * FROM" /var/www/html/wp-content/plugins/quiz-and-survey-master/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'quiz-and-survey-master'• wordpress / composer / npm:
wp plugin list | grep 'quiz-and-survey-master' --status=active• generic web: Check WordPress plugin directory for recent reports or discussions related to Quiz And Survey Master vulnerabilities.
disclosure
Estado del Exploit
EPSS
0.57% (69% percentil)
CISA SSVC
Vector CVSS
The primary mitigation is to upgrade the Quiz And Survey Master plugin to a version that addresses the SQL Injection vulnerability. If immediate upgrading is not possible due to compatibility issues or breaking changes, implement a Web Application Firewall (WAF) rule to filter potentially malicious SQL queries targeting the 'question_id' parameter. Additionally, carefully review and sanitize all user inputs within the plugin's code, ensuring proper escaping and parameterization of SQL queries. After upgrading, confirm the fix by attempting a SQL injection attack on the vulnerable endpoint and verifying that the attack is blocked.
Actualice el plugin Quiz And Survey Master a la última versión disponible. La vulnerabilidad de inyección SQL ha sido corregida en versiones posteriores a la 9.0.1.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2024-3592 is a critical SQL Injection vulnerability in the Quiz And Survey Master WordPress plugin, allowing attackers to extract data with contributor access.
You are affected if you are using Quiz And Survey Master version 9.0.1 or earlier. Immediate action is required.
Upgrade to the latest version of the Quiz And Survey Master plugin. If upgrading is not immediately possible, implement a WAF rule to filter malicious SQL queries.
There are currently no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention and mitigation.
Check the Quiz And Survey Master plugin developer's website and WordPress plugin repository for the official advisory and update information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.