CVE-2023-0292

Name of the Vulnerable Software and Affected Versions Quiz And Survey Master plugin for WordPress versions up to, and including, 8.0.8

Description The issue is related to Cross-Site Request Forgery due to missing nonce validation on the function associated with the qsm remove file fd question AJAX action. This allows unauthenticated attackers to delete arbitrary media files via a forged request if they can trick a site administrator into performing a specific action, such as clicking on a link.

Recommendations For versions up to, and including, 8.0.8, update to a version that includes nonce validation for the qsm remove file fd question AJAX action to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the qsm remove file fd question AJAX action to minimize the risk of exploitation.