Cross-site scripting (XSS) vulnerability in pages/admin/surveys/create.php in the WP Survey And Quiz Tool plugin 1.2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter.
Critical vulnerability exists in the WP Survey And Quiz Tool plugin for WordPress, allowing remote attackers to inject malicious scripts via a cross-site scripting (XSS) flaw. Successful exploitation can lead to account compromise, data theft, and website defacement, severely impacting the integrity and availability of the affected WordPress site.
Step 1: Payload Delivery: The attacker crafts a malicious URL containing a specially crafted action parameter. This parameter includes the XSS payload (e.g., <script>alert('XSS')</script>).
Step 2: Request Submission: The attacker tricks a legitimate user (e.g., an administrator) into clicking the malicious URL. This can be achieved through phishing, social engineering, or other means.
Step 3: Server Processing: The WordPress server, with the vulnerable plugin installed, receives the request and processes the create.php file.
Step 4: Vulnerable Code Execution: The plugin's code, lacking proper sanitization, incorporates the attacker-supplied action parameter directly into the HTML response.
Step 5: Browser Execution: The victim's browser receives the HTML response, which now includes the attacker's malicious JavaScript code. The browser executes the JavaScript.
Step 6: Exploitation: The injected JavaScript code executes within the context of the user's browser, allowing the attacker to perform actions such as stealing cookies, redirecting the user to a malicious site, or defacing the website.
The vulnerability stems from insufficient input validation and output encoding within the create.php file of the WP Survey And Quiz Tool plugin. Specifically, the action parameter is directly incorporated into the HTML output without proper sanitization. This allows an attacker to inject arbitrary HTML or JavaScript code, which is then executed in the context of the victim's browser. The root cause is a lack of input validation and output encoding (e.g., HTML escaping) for the action parameter. The plugin fails to properly sanitize user-supplied data before rendering it in the web page, leading to the XSS vulnerability.