CVE-2020-35951

Name of the Vulnerable Software and Affected Versions: Quiz and Survey Master plugin versions prior to 7.0.1 for WordPress

Description: An issue in the Quiz and Survey Master plugin allows users to delete arbitrary files, such as the wp-config.php file, which could take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurs via the qsm remove file fd question function, which allowed unauthenticated deletions, although it was intended only for deleting quiz-answer files.

Recommendations: For versions prior to 7.0.1, update to version 7.0.1 or later to resolve the issue. As a temporary workaround, consider disabling the qsm remove file fd question function until a patch is available. Restrict access to sensitive files, such as wp-config.php, to minimize the risk of exploitation.