Back to KEVs

CVE-2020-35949

An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It made it possible for unauthenticated attackers to...

Basic Information

CVE State
PUBLISHED
Reserved Date
January 01, 2021
Published Date
January 01, 2021
Last Updated
August 04, 2024
Vendor
n/a
Product
n/a
Description
An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution. If a quiz question could be answered by uploading a file, only the Content-Type header was checked during the upload, and thus the attacker could use text/plain for a .php file.
Tags
wordpress php

CVSS Scores

CVSS v3.1

10.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Score

Score
13.31% (Percentile: 93.76%) as of 2025-05-12

Exploit Status

Exploited in the Wild
Yes (2020-08-13 12:09:59 UTC) Source

References

https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/ https://wpscan.com/vulnerability/10349

Known Exploited Vulnerability Information

Source Added Date
Wordfence 2020-08-13 12:09:59 UTC

Timeline

  • Added to KEVIntel

  • CVE ID Reserved

  • CVE Published to Public