Authorization Bypass Vulnerability in Quiz And Survey Master for WordPress Allows Arbitrary Media File Deletion

Authorization Bypass Vulnerability in Quiz And Survey Master for WordPress Allows Arbitrary Media File Deletion

CVE-2023-0291 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

The Quiz And Survey Master for WordPress is vulnerable to authorization bypass due to a missing capability check on the function associated with the qsm_remove_file_fd_question AJAX action in versions up to, and including, 8.0.8. This makes it possible for unauthenticated attackers to delete arbitrary media files.

Learn more about our Wordpress Pen Testing.