CVE-2020-35949
CRITICALExpresstech Quiz And Survey Master < 7.0.1 - Unrestricted File Upload
Title source: ruleDescription
An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution. If a quiz question could be answered by uploading a file, only the Content-Type header was checked during the upload, and thus the attacker could use text/plain for a .php file.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/10349
Scores
CVSS v3
10.0
EPSS
0.1033
EPSS Percentile
93.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
expresstech/quiz_and_survey_master
< 7.0.1
Published
Jan 01, 2021
Tracked Since
Feb 18, 2026