Vulnerability Description
An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurred via qsm_remove_file_fd_question, which allowed unauthenticated deletions (even though it was only intended for a person to delete their own quiz-answer files).
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Expresstech | Quiz And Survey Master | < 7.0.1 |
Related Weaknesses (CWE)
References
- https://wpscan.com/vulnerability/10348ExploitThird Party Advisory
- https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-ExploitThird Party Advisory
- https://wpscan.com/vulnerability/10348ExploitThird Party Advisory
- https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-ExploitThird Party Advisory
FAQ
What is CVE-2020-35951?
CVE-2020-35951 is a vulnerability with a CVSS score of 9.9 (CRITICAL). An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offli...
How severe is CVE-2020-35951?
CVE-2020-35951 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-35951?
Check the references section above for vendor advisories and patch information. Affected products include: Expresstech Quiz And Survey Master.