Quiz and Survey Master WordPress Plugin Contains Critical Flaws

Quiz and Survey Master WordPress plugin contains critical flaws

Yet another vulnerable plugin was recently discovered by the Wordfence (Defiance) team. Two security flaws were unveiled in Quiz and Survey Master (QSM) WordPress plugin installed on more than 30,000 sites.

Quiz and Survey Master is easy to use add on for websites. It lets people create various quizzes and surveys for WordPress sites. This website widget is also suitable for the creation of other interactive forms such as polls and questionnaires. One of the features of this website tool allows site owners to implement file uploads as a response type for their quiz or survey. This feature could be useful in a number of scenarios but hackers could benefit from it as well.

Unfortunately, this feature of the Quiz and Survey Master WordPress plugin was identified to contain two security flaws. The flaws, rated as highly critical, could lead to remote code execution attacks where attackers upload arbitrary files or delete files from the targeted site, such as wp-config.php. These actions could lead to taking affected sites offline or taking control over them.

Quiz and Survey Master Plugin Flaws Fixed

Fortunately, after the disclosure of the vulnerabilities, they were fixed:

We initially reached out to the plugin’s team on July 17, 2020 through their support forum and followed up again on July 21, 2020. After another week of no response, we reached out to ExpressTech, the plugin’s parent company, on July 28, 2020 … They responded on August 1, 2020 confirming the correct disclosure inbox, and we sent the full disclosure details over on Monday, August 3, 2020. A patch was released just a few days later on August 5, 2020, the report says.

The two vulnerabilities are found in a plugin’s feature that enables site owners to implement file uploads as a response form of a quiz or a survey. Let’s say that a website has a job-application questionnaire. The feature is an ideal solution for the upload of a PDF resume or a file in another format at the end of the process.

As found by researchers, this feature was insecurely implemented as it was set to verify file type only by checking the ‘Content-Type’ field during an upload. This check appeared to be insufficient for a secure way of implementing this feature. Which means that it could be spoofed easily. For instance, if a quiz with a file upload step is configured to accept .txt files only, hackers can upload an executable PHP file as a text file which will enable them to bypass the plugin’s checks and successfully deliver malicious code to website owners.

Fortunately, the functionality has to be enabled and configured for a quiz in order to be easily exploitable. Therefore, most of the sites that have it installed on the panel are unlikely to be exploited by this particular flaw.

The second flaw is also flagged as critical. It can give attackers the chance to delete any arbitrary file from the site. This vulnerability can be exploited by hackers who can establish high-level permission access. Both these flaws can allow an attacker to take over the control of the entire website and the hosting.

The flaws are described as Arbitrary File Upload. There is still no CVE designated, but the CVSS score is 10.00, which means critical. Thus, users of the Quiz and Survey Master WordPress plugin should update to version 7.0.1 immediately so that their sites’ can be protected against any attacks attempting to exploit these flaws.

For the sake of website security, it is highly recommended that WordPress site admins provide only credible users with access levels greater than subscriber-level. Furthermore, don’t forget to set up strong passwords on these accounts so that attackers can’t use them as a means of intrusion.

Earlier this month, Wordfence researchers discovered several flaws in the Newsletter plugin for WordPress. One of the flaws was recently patched, and the other two, which were more severe. The latter flaws were a reflected cross-site scripting (XSS) bug and a PHP Object Injection issue. Fortunately, after contacting the plugin’s authors, the vulnerabilities were quickly addressed in a new press release.


  1. Melissa

    DO NOT TRUST QSM YOUVE BEEN WARNED. IT SAID 14 day trial and for a refund do I bought it. Had bad news was grieving so I tried it on dat 14. Hated it felt clunky, confusing to use and just not at all suitable for what I needed. They then changed their terms to say 7 days for a refund and now will not refund me. Absolutely disgusting. Please do NOT use QSM go anywhere but there you’ve been warned. They take far too long to reply also. Just awful. Not what I need right now.

    1. HTH_Editors (Post author)

      Hi Melissa,

      Sorry to hear about your experience. Did you finally get an answer?


Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.