WWordPress Vulnerability Database

Hong Kong NGO warns WordPress QSM CSRF(CVE20256790)

WordPress QSM plugin < 10.2.3 - Template Creation via CSRF vulnerability
0
Shares
0
0
0
0
Plugin Name Quiz And Survey Master
Type of Vulnerability CSRF
CVE Number CVE-2025-6790
Urgency Low
CVE Publish Date 2025-08-14
Source URL CVE-2025-6790

Urgent: QSM (Quiz And Survey Master) < 10.2.3 — Template Creation via CSRF (CVE-2025-6790)

Author: Hong Kong Security Expert

Date: 2025-08-15

Summary

  • A Cross-Site Request Forgery (CSRF) vulnerability affecting Quiz And Survey Master (QSM) versions earlier than 10.2.3 has been assigned CVE-2025-6790.
  • The issue permits an attacker to trigger template creation in the plugin. Depending on how templates are rendered, this can enable stored content injection, privilege misuse, or other follow-on risks.
  • The vendor released a fix in version 10.2.3. Administrators should prioritise updating as the primary remediation.
  • This advisory explains the vulnerability, realistic attack scenarios, detection guidance, and a practical incident-response checklist appropriate for Hong Kong enterprises and regional site operators.

Why this matters

Quiz and survey plugins can create content fragments or templates that are later rendered on public pages or in the admin UI. If an endpoint that creates templates lacks proper request validation (nonce checks, SameSite protections, or capability checks), an attacker can trick a privileged user into submitting a request that creates malicious templates.

Consequences include:

  • Malicious JavaScript or HTML embedded in templates that execute for site visitors.
  • Persistence/backdoors through shortcodes or template-driven features.
  • SEO poisoning, redirects, or other reputational damage.

Although the CVSS severity is classed as low in some reports, the operational impact for high-traffic sites or sites that render templates inline can be significant. Organisations should treat this as a priority for patching and incident readiness.

What the vulnerability is (high level)

  • Type: Cross-Site Request Forgery (CSRF)
  • Affected component: Template creation functionality in QSM versions < 10.2.3
  • Identifier: CVE-2025-6790
  • Impact: An attacker can cause the creation of templates by influencing authenticated users to submit requests without valid anti-CSRF tokens.
  • Severity: Low (operational risk varies with template use and site configuration)

What is CSRF — and why template creation is special

CSRF occurs when a victim’s browser, authenticated to a site, is induced to send a request that performs state-changing actions. Because templates can be included across many pages, a malicious template may affect numerous visitors or administrators.

  • Templates can carry scripts, iframes, or shortcodes that execute on render.
  • Persistent content creation provides an attacker with a durable foothold for follow-on activity.

Realistic attack scenarios

The following scenarios demonstrate plausible abuse vectors (for defensive awareness only):

  1. Malicious template with JavaScript: An admin visits a crafted page; their browser triggers a POST that creates a template containing JS. When rendered, visitors execute the script.
  2. Backdoor via shortcode: A template contains a shortcode that, in combination with another insecure plugin, results in server-side code execution or a persistent backdoor.
  3. SEO poisoning / spam: Hidden links or redirects are introduced into templates, damaging search rankings and trust.
  4. Privilege abuse: Templates that render in the admin interface could trigger actions affecting administrative workflows.
  5. Multi-stage escalation: CSRF creates the initial template; another vulnerability later converts this into greater control.

Exploitation complexity and prerequisites

  • User interaction: Required — typically an authenticated admin/editor must visit a crafted page.
  • Privileges: Impact depends on which role the endpoint accepts; admin sessions are the most valuable.
  • Network: No special network access beyond the victim’s ability to reach the attacker-hosted page.
  • Detection avoidance: Attackers may create innocuous templates to delay discovery.

Immediate actions every site owner should take (triage checklist)

Follow these steps promptly. The update to 10.2.3 is the single most important action.

  1. Update the plugin: Apply QSM 10.2.3 (or later) to all environments after validation in staging.
  2. If you cannot update within 24 hours, mitigate:
    • Use a WAF or hosting control rules to block POST requests to plugin-specific template creation endpoints.
    • Restrict admin access by IP or require VPN for administrative sessions during the maintenance window.
    • Disable or restrict any feature that renders plugin-created templates if configurable.
  3. Audit templates and plugin content: Inspect templates created in the last 7–30 days for scripts, iframes, or unfamiliar shortcodes. Quarantine or remove suspicious items and export copies for analysis.
  4. Check logs: Review webserver, WordPress activity, and hosting logs for POSTs to QSM endpoints, unusual admin sessions, or abnormal user agents. Record timestamps and source IPs.
  5. Reset sensitive credentials: Rotate admin passwords and any API keys associated with the site. Rotate external service credentials if compromise is suspected.
  6. Scan for malware: Run file integrity and malware scans, focusing on recently modified plugin/theme files.
  7. Notify stakeholders: Prepare an internal disclosure and remediation plan for clients or affected users if necessary.
  8. Backup: Take a clean snapshot (files + DB) before making changes to preserve forensic evidence.

How to detect potential exploitation

Look for both direct and indirect indicators:

  • New templates authored by unexpected users or by system accounts.
  • Database rows containing