cbcvebase.
CVE-2020-35951
published 2021-01-01

CVE-2020-35951: An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbitrary files such as wp-config.php file…

PriorityP181critical9.9CVSS 3.1
AVNACLPRNUINSCCLILAH
EXPLOIT
EPSS
76.33%
99.5th percentile
An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurred via qsm_remove_file_fd_question, which allowed unauthenticated deletions (even though it was only intended for a person to delete their own quiz-answer files).

Affected

1 ranges
VendorProductVersion rangeFixed in
expresstechquiz_and_survey_master< 7.0.17.0.1

Detection & IOCsextracted from sources · hover to see the quote

pathwp-config.php
otherqsm_remove_file_fd_question
  • Monitor for unauthenticated POST/GET requests invoking the 'qsm_remove_file_fd_question' WordPress AJAX action, which can delete arbitrary files including wp-config.php without authentication.
  • Alert on deletion of wp-config.php via web-accessible requests, which may indicate exploitation of this vulnerability to take the site offline and enable attacker-controlled reinstallation.
  • Use the nuclei-style body matcher regex '([/a-z_]+)wp' against HTTP responses to fingerprint vulnerable Quiz and Survey Master plugin installations.
  • ·The nuclei template digest/signature is present but the source URL is not publicly attributed; treat the fingerprint regex as internal/private and validate before production deployment.
  • ·The vulnerability affects Quiz and Survey Master plugin versions before 7.0.1 for WordPress; detections should be scoped to installations running versions prior to 7.0.1.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.