First published: Fri Jan 01 2021(Updated: )
An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurred via qsm_remove_file_fd_question, which allowed unauthenticated deletions (even though it was only intended for a person to delete their own quiz-answer files).
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Expresstech Quiz And Survey Master | <7.0.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-35951 is a critical vulnerability found in the Quiz and Survey Master plugin for WordPress, allowing users to delete arbitrary files and take control of a site.
CVE-2020-35951 has a severity rating of 9.9 out of 10, making it a critical vulnerability.
CVE-2020-35951 affects the Quiz and Survey Master plugin before version 7.0.1, allowing attackers to delete important files and take a WordPress site offline.
To fix CVE-2020-35951, it is recommended to update the Quiz and Survey Master plugin to version 7.0.1 or later.
More information about CVE-2020-35951 can be found at the following references: [Wordfence blog](https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/) and [WPScan vulnerability report](https://wpscan.com/vulnerability/10348).